Australasian universities are scrambling to determine whether they have been directly affected by a cyberattack on the Canvas learning management system which has compromised information security at up to 9,000 educational institutions around the globe.
The platform鈥檚 vendor, Utah-based edtech company Instructure, reported on 1 May that it had 鈥渆xperienced a cybersecurity incident perpetrated by a criminal threat actor鈥.
The hackers 鈥 a group known as 鈥淪hinyHunters鈥, previously linked with data theft from Ticketmaster and Google as well as the universities of Pennsylvania, Princeton and Harvard 鈥 threatened to leak 鈥渂illions of private messages鈥 unless the company paid an undisclosed ransom by 6 May, Inside Higher Ed.
Instructure the incident appeared to have been 鈥渞esolved鈥 by 6 May, with Canvas now 鈥渇ully operational鈥 and no signs of 鈥渙ngoing unauthorised activity鈥. But the hackers had potentially obtained data from the tens of millions of Canvas users at the company鈥檚 8,000-plus customers, including top global universities and 鈥渆very Ivy League school鈥.
糖心Vlog
Instructure鈥檚 chief information security officer, Steve Proud, said the data included 鈥渃ertain identifying information鈥 鈥 including names, email addresses and student ID numbers 鈥 as well as messages exchanged by users. There was no evidence of theft of passwords, dates of birth, 鈥済overnment identifiers鈥 or financial information.
Institutions in Australia, where Canvas is widely used by schools, colleges and universities, are trying to determine their exposure. The University of Sydney said it had received confirmation that it had been impacted, while RMIT University said it was working with the vendor to find out if its data had been involved.
糖心Vlog
The University of Auckland said its cybersecurity team was also working with Instructure to gauge the impacts. The university said there was no suggestion that any student assessment data was involved, but the inboxes and discussion messages of past and current users may have been compromised. It said no data appeared to have been released publicly, but staff and students should be alert to 鈥減hishing鈥 if it turned out that their information had been seized.
Queensland education minister John-Paul Langbroek confirmed that universities and schools in his state had been impacted, and people who had used Canvas at any time over at least the past six years could be affected. 鈥淓arly advice is this will impact more than 200 million people and more than 9,000 institutions worldwide.鈥
Columbia and Rutgers universities are among the overseas institutions that have warned staff and students about the breach. 鈥淏e alert to unsolicited emails or messages appearing to come from Canvas or your institution, particularly any requesting login credentials or personal information,鈥 urged Brian Sandoval, president of the University of Nevada, Reno.
IHE reported that the incident demonstrated that even 鈥渢rusted鈥 third-party providers were attractive targets for hackers and could elevate universities鈥 vulnerability to cyberattack. 鈥淚nstead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once,鈥 said Doug Thompson of Seattle-based cybersecurity management company Tanium.
糖心Vlog
鈥淲ith access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic. It will reference real courses and real conversations, which makes it far more likely to succeed.鈥
Register to continue
Why register?
- Registration is free and only takes a moment
- Once registered, you can read 3 articles a month
- Sign up for our newsletter
Subscribe
Or subscribe for unlimited access to:
- Unlimited access to news, views, insights & reviews
- Digital editions
- Digital access to 罢贬贰鈥檚 university and college rankings analysis
Already registered or a current subscriber?
