Instructure, Canvas’s host company, announced on May 7 that a data breach had occurred, affecting all public and private school, college and university users.
Instructure’s official press release states that an “unauthorized actor made changes to the pages when some students and teachers logged in through Canvas.”
Canvas also experienced a disruption to services on April 29 prior to the breach. Instructure found the breached source and immediately removed the unauthorized source’s access to Canvas upon detection. In the press release, Instructure describes the information leaked to be “usernames, email addresses, course names, enrollment information and messages.”
Instructure’s investigations are still on-going, and updates are visible on their website.
District technology coordinator Greg Hunt, sent out emails on May 8 to all students, parents and faculty regarding the breach. In his email, Hunt explained that Canvas “serves thousands of schools worldwide and that the attack was not directed to us or the district.”
“Instructure has not yet confirmed how many Susquehannock students or staff had their information leaked,” Hunt said. “Instructure has not found any evidence of passwords, Social Security numbers, dates of birth or any financial information being leaked during the data breach.”
Hunt advises all SYCSD staff, students and parents to be careful of phishing emails as cybercriminals use information to create more convincing emails. Phishing emails are used to steal information such as passwords, payment information, phone numbers and more. They are made to convince users to click on a link, enter a password or enter payment information to update a subscription, but once one enters information, they steal it and either sell it to other users or use it to blackmail.
Canvas was brought back online the same day it went down, becoming available for schools to use.
Instructure is still currently investigating the data breach and will update their website as they get new information. Instructure is coordinating with law enforcement and many cybersecurity agencies to help secure their platform further and to catch the criminals that held Canvas data for ransom.
