School-related nightmares are something of a universal experience across cultures and generations. Who among us hasn’t experienced a stressful dream where we’re suddenly thrust back into high school or college, about to take a major exam we’ve not prepared for, or staring down the barrel of some other scholastic catastrophe? Students at many American universities just went through a waking educational nightmare that will undoubtedly haunt their dreams long after graduation.
This Thursday, May 7th, deep in the throes of finals week, students at The University of Pennsylvania, Virginia Tech, Duke, and elsewhere ran into trouble while attempting to use Canvas, the educational software employed by thousands of schools and universities around the world. In the place of the usual Canvas dashboard, students were instead greeted with a ransom message from the notorious black-hat hacker group ShinyHunters.
“ShinyHunters has breached Instructure (again),” began the message, referring to a breach of Canvas earlier that month logged by the software’s parent company, Instructure. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”
The alert went on to encourage schools affected by the breach to “please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement” before the end of the day on May 12th. If that deadline was missed, the ShinyHunters message threatened to leak sensitive data accessed in the platform, such as names, emails, student course schedules, and ID numbers. A list of affected schools previously posted by ShinyHunters indicated that 275 million Canvas users at over 9,000 schools—including every Ivy League university—would be impacted by this hack.
Naturally, students have turned to social media to vent their frustrations.
When the breach was first reported in university papers like The Daily Pennsylvanian, The Harvard Crimson, and The Collegiate Times, the ShinyHunters message had already been replaced by 4:20 PM with a message from Canvas saying the platform was undergoing “scheduled maintenance.” Updates to these articles indicate the platform was accessible and operating as normal by later that night or by the morning of the 8th.
Whether these institutions reached into their multi-billion-dollar endowment fund couch cushions to scrounge up the ransom fee or just white-knuckled through it while their and Instructure’s white-hats saved the day is still unclear. Statements from impacted universities have been understandably buttoned-up, typically just acknowledging the issue and instructing students to stand by for updates.
Still, Canvas has apparently been removed from the ShinyHunters extortion page. And it wouldn’t be unheard of for one to quietly pay the bill and be done with this whole mess. Just this January, K-12 educational software company PowerSchool admitted to paying the ransom after a hacker breached the platform and accessed students’ personal data.
Regardless, this ShinyHunters Canvas breach is an important lesson about leverage for all parties. Some universities are already rescheduling Friday, May 8th, exams for Sunday, May 10th, but things otherwise appear to mostly be back to normal. Still, affected students shouldn’t let this rare opportunity where they hold extra cards go to waste. These institutions are undoubtedly sweating bullets right now, hoping to avoid mass accountability for not doing more to protect that data. Students can and should, at the very least, finagle a few percentage points of final exam grade curve out of this whole fiasco.
Leave a Reply