Canvas system back online after cyberattack disrupted thousands of schools

Tens of thousands of students studying for final exams around the world Friday regained access to a key online learning system after a cyberattack had earlier knocked it offline, throwing schools and universities into turmoil.

Elizabeth Polo was in a creative writing class at the University of Maryland late Thursday afternoon when a classmate shouted, "Canvas got hacked." A message from a hacking collective flashed on her computer screen.

PREVIOUS: Canvas hack strands students during finals week as UC and CSU systems monitor breach

"Our whole class just like was like freaking out about it," said Polo, a junior. "Our poor professor was trying to get everyone to calm down but it was just kind of chaos."

Across academia, the outage set off panic and confusion as students and faculty members found themselves locked out of a platform they rely on to manage grades and access course notes and assignments. Colleges scrambled to reschedule final exams as students lost any way to access materials they needed to study.

Instructure, the company behind Canvas, said in an update late Thursday that the system was available for most users. Instructure has not posted about the attack on its social media, and the company didn't immediately respond to emails from The Associated Press asking whether it paid a ransom and inquiring about what happened with the compromised data.

Rich in digitized data, the nation's schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. Past attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District.

Hackers breached data days before the outage

A hacking group called ShinyHunters claimed responsibility for the breach at Canvas, said Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Connolly said.

The message that flashed on Polo's computer screen urged individual schools to reach out directly to the hacking group to negotiate a settlement and threatened to leak data if they didn't. She said that Canvas later took that message down, replacing it with a message saying the site was undergoing scheduled maintenance.

Just before 1 a.m. Friday, Polo was able to submit an assignment on Canvas, but she now worries personal data has been compromised.

The data breach appeared to involve student ID numbers, email addresses, names and messages on the Canvas platform, Instructure's chief information security officer, Steve Proud, said in an update shared Saturday.

Canvas went down just as deadlines were hitting

The outage happened just as a deadline arrived for semester-long projects in one of Gwyneth Doland's journalism classes at the University of New Mexico.

"They were a little hyperventilating," recalled Doland, who extended the deadlines. "None of these platforms are fail-proof. I'm glad that they got that lesson."

That the attack came with finals looming came as no surprise to Huseyin Can Yuceel, the security research lead at Picus Labs.

"Timing is everything, because they want to inflict pain as much as possible," he said, "so they can extort money out of it."

Teachers said they had to find workarounds to help students study for exams and submit final assignments. Some schools, such as the University of Texas at San Antonio, announced they were pushing back finals scheduled for Friday in response to the outage.

Others, like the University of Texas Permian Basin, gave teachers longer to submit grades.

"The concern is for those of us who were doing the grading if there's anything left," said Rod Uzat, a professor of Educational Leadership at the university.

Rhongho Jang, a computer science professor at Wayne State University in Detroit, was finalizing grades for a class of 94 students when the system went down. He keeps paper copies of the student exams, but all of the semester assignments, which make up half of the final grade, are done online.

If those assignments and grades could not be recovered, Jang would have given his students full credit.

"I didn't want to penalize them," he said. "We cannot judge based on the data we don't have. The final responsibility is still on the server."

A reliance on tech makes schools vulnerable

The breach underscored how much schools depend on outside companies' digital platforms to keep their operations running.

"What it boils down to is concentration risk," said Joseph Blankenship, a vice president and research director at Forrester. He said any space, including education, is particularly vulnerable when there's only one or maybe two key providers hosting essential technology.

Allan Liska, of the cybersecurity firm Recorded Future, said the outage did appear deliberate, not a glitch, and that Instructure was trying to figure out how widespread the problem was and make sure the hackers were no longer inside its system.

"There's no indication at this point that any ransom has been paid," Liska said. "And it likely is still a little too early for a ransom to have been paid. You know, normally these negotiations kind of drag on for a while."

Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group also has been tied to other attacks, including Live Nation's Ticketmaster subsidiary. ShinyHunters posted online that it was not commenting on the Canvas incident.

ShinyHunters, or an offshoot, was also behind a previous smaller breach of Instructure, Liska said. Sometimes small breaches reveal weaknesses that threat actors later exploit in future leaks, said Yuceel, who likened it to a leak in a boat.

"You fixed it, but you already have the water in the boat," he said.