This story was originally published by EdSource. Sign up for their daily newsletter.
The company that owns Canvas, the educational management system used by college and high school students and faculty throughout California, said hackers gained access to the web-based system through a vulnerability.
In a statement posted Monday on the CSU system website, Steve Daly, CEO of Instructure, said hackers exploited a vulnerability in the system’s “Free for Teacher” support tickets. That area of the system has been disabled temporarily while Instructure completes a full security review.
On Thursday the black-hat cybercrime group ShinyHunters breached Canvas, the system used by students to complete course assignments. For Thursday and most of Friday — when many final projects and exams were due — students and faculty could not access the system where all course materials and grades are stored.
On Monday, access to Canvas was restored. The UC and CSU systems reported that the system is available Monday morning, as did the California Community College network of campuses. Public K-12 school districts were also affected, including the San Diego Unified School District which notified students that the Canvas platform has been restored.
Daly issued an apology for the cyberattack and for the way Instructure handled the breach.
“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” Steve Daly, CEO of Instructure, wrote in a statement.
Daly said that hackers gained unauthorized access to data fields including usernames, email addresses, course names, enrollment information and messages.
“Core learning data (course content, submissions, credentials) was not compromised,” he wrote.
As a result of last week’s breach, Instructure launched an incident update page where a summary of their forensic report will be posted within 48 hours.
