Canvas hack impacts New York, New Jersey schools, universities amid finals season
A cyberattack on Canvas, a system used across the country, affected thousands of students and teachers in the New York area during finals season.
The company Instructure was hacked by a group called ShinyHunters, which said they gained access to student names, emails, ID numbers and private messages Thursday.
Instructure is behind Canvas, the learning management system that is used to manage grades, course notes, assignments and lecture videos.
New York City Schools Chancellor Kamar Samuels released a statement Friday about two privacy issues school officials learned about. One was impacting up to seven schools and another was local to one campus, he said.
"New York City Public Schools places a premium on the protection of student data and use of technology, and devotes significant resources to doing so. In line with that, we act quickly and urgently when we learn of a potential breach," Samuels said. "In such cases, we work around the clock with any vendor that may be involved, as well as all appropriate law enforcement agencies and NYC Cyber Command to drive towards resolution and safeguards as soon as feasible."
Cybersecurity experts said anyone who may have been compromised should change their password for Canvas and their bank accounts.
"Attackers are going to victimize these systems because there's so much data possible," cybersecurity expert Steve Cobb said. "In the next 30 days, these students and these teachers will start getting scam emails that are now much more specific to them because they have more detail around who they are."
Cobb also advised being vigilant of phishing scams and monitoring credit scores.
What schools are affected by the Canvas hack?
Columbia University officials posted on social media that they were investigating after widespread issues were reported. The Mailman School of Public Health at the university postponed all exams and assignments due Friday.
"We have restored the application for people on campus at this point and we hope to be making it available to people who are virtually plugging in. The deans of each school have communicated with the students and faculty and are making decisions about what should move forward and on what schedule," Columbia Senior Executive Vice President Robert Kasdin said.
Columbia assured its students no personal information was compromised, even though hackers claimed to have accessed billions of private message and other records.
Rutgers University Senior VP Michele Norin said in an update Friday the school was still "assessing the safety and stability of the Rutgers Canvas system" after Infrastructure announced it had restored access.
"The Office of Information Technology has decided to take important security precautions for your protection before restoring Canvas access at Rutgers," Norin said.
The university said in an earlier statement that each campus would share updates with students, faculty and staff about exams and coursework impacted by the Canvas hack.
Is Canvas back up yet?
A status log posted by Instructure said that Canvas was now available for most users, after it said Canvas, Canvas Beta and Canvas Test were in maintenance mode.
A spokesperson from Instructure said Canvas was "now fully back online and available for use." The spokesperson said the company found an unauthorized actor involved in a security incident that was making changes to Canvas.
"Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts," the statement read.
