Georgia schools, colleges affected by cyberattack on online classroom platform

“As this is taking place at the very end of the semester when grades and final assignments are being completed, academic leaders have provided faculty members with additional flexibility to mitigate the impact on our students,” the school said in a statement.

Emory University said it is limiting access to Canvas “so we can assess the security and stability of the platform.” It also extended grade submission deadlines by seven days “due to the ongoing problems.”

The Georgia Department of Education told the AJC it has not received detailed guidance regarding the impact and scope of the incident, and noted some school districts may have independent contracts with the vendor.

“Out of an abundance of caution, GaDOE has implemented security protocols and directed Georgia Virtual School students and staff not to use the platform until further notice. We continue to coordinate with the Georgia Technology Authority and the Georgia Emergency Management and Homeland Security Agency on this matter,” the department said in a statement.

The Fulton County School District informed families Thursday that “the vendor has confirmed that certain user data, including names and internal messages, may have been accessed.” They heard from Instructure, which owns Canvas, that “passwords, social security numbers, and financial information were not involved.” Fulton has temporarily made Canvas inaccessible for students, parents and teachers.

The DeKalb County School District told families in an email that its internal networks, system and infrastructure were not compromised, but the district temporarily disabled access to Canvas “out of an abundance of caution.”

The Cherokee County School District also disabled access for users and asked parents not to attempt to access their accounts. “We want to assure you that our CCSD system is not at risk, but we need to take proactive measures to keep it that way,” the district said in a message to families.

A spokesperson with Forsyth County Schools says Instructure notified them of the breach but was not told if or how the district may have been affected.

“Based on the information shared so far, it appears the incident may have involved some student ID numbers and limited directory information, such as student names, school names, or teacher names. Highly sensitive information such as Social Security numbers, home addresses, phone numbers, dates of birth, financial information, and passwords are not stored in FCS Canvas and do not appear to be involved,” the spokesperson told the AJC, adding that the district is monitoring updates and communicating with staff and families about the situation.

Although Georgia State University was included on the hacker’s list, the school said it does not use Canvas.

No students, faculty or staff at the University of Georgia have been affected by the data breach, according to the school, which said it does not use Canvas as its learning management system. UGA said its learning platform is provided by D2L.

Oglethorpe University does not believe it was impacted by the breach, saying it’s found “no indication that university systems or data were involved.”

Instructure said Thursday in a message on its website that “most users” were able to access Canvas.

Hacking group ShinyHunters claimed in a ransom letter that roughly 275 million individuals worldwide are affected by the breach, including students, teachers and other staff.

“Pay or Leak,” the message said.

Some students logged onto Canvas on Thursday to find a similar message from the group. It told individual schools to contact the group privately to prevent release of the data and gave a Tuesday deadline.

Ransomware attacks against government agencies and schools have become more frequent in recent years. Henry County’s school system was attacked in late 2023. Substitute bus drivers had to be guided by central office personnel on unfamiliar routes because they lacked access to GPS. Many homework assignments were completed with paper and pen.

The city of Atlanta suffered a major ransomware attack in 2018. Two Iranian citizens were eventually charged with that crime. And Fulton County government two years ago had a ransomware attack that disrupted various services.