Canvas hack puts thousands of Georgia students at risk

ShinyHunters, the hacking group that’s taken responsibility for the attack, claimed in a ransom letter that nearly 9,000 schools and 275 million individuals worldwide were affected by the breach, including students, teachers and other staff.

The full extent of the breach is not yet clear. As of Friday, Instructure said its investigation “found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.” Steinhauer noted the company did not rule out the possibility.

“In these situations, I tend to assume worst case scenario,” he said.

Canvas was shut down on Thursday after the company noticed unauthorized activity on the platform. It was restored on Friday, but some schools remained cautious. Fulton County School District temporarily limited access. So did Emory University as it sought to “assess the security and stability of the platform.”

The timing of the hack is especially bad for colleges and universities, as many are in the middle of final examinations and professors are submitting grades. Emory extended its grade submission deadlines by seven days after shutting down access to the platform.

According to Instructure, the leaked information includes names, email addresses, student ID numbers, and messages among Canvas users. Those messages could be particularly sensitive, as students and teachers may discuss grades, accommodations and other confidential information.

“The problem is institutions that get funds from the federal government are required to protect student data and class data under the FERPA (Family Educational Rights and Privacy Act) guidelines,” said Dan Boyd, director of information security at Berry College. “Much of the information within the chats that the ShinyHunters claim they have is probably FERPA protected.”

Experts advise Canvas users consider changing their passwords and be very wary of clicking on any links sent via text or email. “Understand that enough information about you was stolen to generate credible phishing emails, so carefully examine any communication purporting to be from Canvas or Instructure,” Boyd wrote in an email to students. “Anything you discussed with your professors or classmates is potentially exposed.”

Mass cyberattacks have become increasingly common in recent years. In February 2024, Change Healthcare was hacked by a ransomware group, exposing the personal data of 190 million people, the largest healthcare data breach in the U.S. A few months later, CDK Global, a car dealership software, suffered an attack that shutdown 15,000 car dealerships across North America. The University System of Georgia was exposed to a breach in 2023 when a software used by the USG and other entities was infiltrated by malware.

Hackers steal information and then demand a ransom to restore it. It can be a lucrative business. Large companies are ripe targets. Steinhauer said as corporations merge and acquire one another, infiltrating one company can give hackers access to the personal data of millions of people. Canvas, for instance, is used by 41% of higher education institutions and has few competitors.

“Why go hack 9,000 schools when you can hack the service provider that they all use?” said Steinhauer. “What they’re trying to do is get the victim company, Canvas or Instructure, to pay an amount for them to not post the data publicly.”

Professor David Maimon, who researches cybercrime at Georgia State University, said schools need to make sure their students are aware of the Canvas hack. But ultimately, it’s Instructure that is liable for the data breach. And with ShinyHunters demanding a ransom, the breach could prove to be very costly.

“At the end of the day, many organizations would not be able to function without the databases that they have,” said Maimon. “So they prefer to just pay the ransom. Criminals know that and they take advantage of it.”