Canvas, a learning management system used by thousands of schools and universities, was offline Thursday during a cyberattack, creating chaos as students tried to study for finals and underscoring the education system’s dependence on technology.
Local universities, including Texas A&M University and the University of Houston, confirmed that their students were affected by the Canvas cybersecurity incident.
Other schools, including Texas Southern University, University of Houston – Downtown, Houston City College, and Prairie View A&M, all say they use Canvas through their websites.
The hacking group named ShinyHunters claimed responsibility for the breach at Instructure, the company behind Canvas, said Luke Connolly, a threat analyst at the cybersecurity firm Emisoft. Instructure didn’t immediately respond to a request for comment or questions about whether the system was taken down as a precaution or because the hackers knocked it offline.
The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Connolly said.
Screenshots Connolly provided showed that the group began threatening to leak the trove of data on Sunday, setting deadlines for Thursday and May 12. Connolly said the later date indicates that discussions regarding extortion payments may be ongoing.
Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. Past attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District.
Instructure has not posted about the attack on its social media. Its Canvas is used to manage grades, course notes, assignments, lecture videos, and more.
Connolly said the Canvas attack is strikingly similar to a breach at PowerSchool, another learning management system. In that case, a Massachusetts college student was charged.
Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group has also been linked to other attacks, including one targeting Live Nation’s Ticketmaster subsidiary.
Universities and school districts quickly began notifying students and parents.
The University of Houston provided a statement to Eyewitness News that read in part:
“The University of Houston is aware of a global service disruption affecting the Canvas LMS platform, which is currently unavailable due to a cybersecurity incident involving its parent company, Instructure. The UH UIT team is actively investigating and monitoring this situation.”
On Thursday evening, local school districts including Houston ISD and Katy ISD sent the following statements regarding the cybersecurity incident.
HISD sent a statement to its staff that read in part:
“This afternoon, a cybersecurity incident involving Canvas impacted school districts and other institutions nationwide. The issue is related to the Canvas platform and is outside of HISD’s control. Canvas is actively working to secure its systems and restore access as quickly as possible, and HISD teams remain in communication with the provider regarding updates and restoration efforts.
While Canvas works to resolve the issue, HISD is standing up a temporary Google site to provide access to curriculum materials. The site is expected to be available within the next few hours, and we will send an additional update once it is live.
We recognize the disruption this may cause and appreciate your patience and cooperation as Canvas works to resolve the issue and HISD implements a solution to ensure teachers have the resources they need for instruction. Our priority is to minimize disruption and continue supporting teaching and learning during this outage.”
Katy ISD shared a statement that read in part:
“This message is to inform our families, students, and staff that Canvas, the district’s learning management system, is currently unavailable. Katy ISD has been notified by Canvas, the vendor that provides our learning management platform, of a cybersecurity incident that is actively under investigation. While the incident was not directed at Katy ISD, it has affected thousands of organizations that use Canvas services.
Canvas has indicated that certain user information may have been exposed, including names, email addresses, student ID numbers, and messages exchanged within the platform. Please note that more sensitive personal information, such as Social Security numbers, home addresses, and passwords, is not stored within Katy ISD’s Canvas environment and was not impacted.
To help protect student and staff information, the Katy ISD Technology Department is actively monitoring the situation and working closely with Canvas to assess any potential effects on our systems.
Updated information, including a timeline for when Canvas will be operational again, will be shared as soon as it becomes available from the vendor.
We appreciate your continued support and understanding.”
Schools across the country, from the University of Iowa to Virginia Tech to Harvard University, have all confirmed they have been affected by the Canvas hack.
The Associated Press contributed to this report.
This story comes from our news partner ABC13 Houston.