Cyberattack shutters Canvas learning platform for schools across the U.S.
A system used by thousands of schools and universities was offline Thursday due to a cyberattack, creating chaos as students tried to study for their exams and underscoring education’s reliance on technology.
The hacking group named ShinyHunters claimed responsibility for the breach at Instructure, the company behind the Canvas learning management system, said Luke Connolly, a threat analyst at cybersecurity firm Emisoft.
CBS News has contacted Instructure for comment.
Some of the universities that said they were targeted include Penn State, the University of Wisconsin-Madison, Columbia University and Union College of New Jersey.
UCLA was among several California schools that reported being paralyzed by the outage.
Also impacted in the Chicago area were Northwestern University, the University of Chicago, the University of Illinois at Chicago, and the University of Illinois.
In a message to students, Penn State said “no one has access” to Canvas and that a “resolution” was not expected “in the next 24 hours.”
The school said all tests scheduled for Thursday and Friday at its Pollock testing center have been canceled.
The Harvard student newspaper reported that the system was there too. And public school districts also sought to reassure parents, with officials in Spokane, Washington, writing that they were “not aware of any sensitive data contained in this breach.”
Canvas is used to manage grades, lecture notes, assignments, lecture videos and much more. The hacking group posted online that nearly 9,000 schools worldwide were affected, and that billions of private messages and other documents had been accessed, Connolly said.
Screenshots he provided show the group began threatening to release the trove of data on Sunday, giving deadlines of Thursday and May 12. Connolly said this later date indicates discussions regarding extortion payments may be underway.
Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who assiduously locate and retrieve sensitive files that not long ago were put on paper in locked cabinets. Past attacks have affected Minneapolis Public Schools and the Los Angeles Unified School District.
Instructure did not post information about the attack on its social media channels.
Connolly said the Canvas attack is strikingly similar to a breach at PowerSchool, which also offers learning management tools. In this case, a student from Massachusetts was charged.
Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the United States and the United Kingdom. The group has also been linked to other attacks, including one targeting Live Nation’s Ticketmaster subsidiary.
