‘You deserved more consistent communication from us, and we didn’t deliver’: Instructure CEO issues apology over Canvas cyber attack disruption

The parent company behind academic management tool Canvas has issued an apology over disruption caused by a recent cyber attack, which impacted hundreds of institutions.

In a blog post on 11 May, Steve Daly, CEO of Instructure, said the company plans to introduce sweeping changes in the wake of the breach, insisting that Canvas is “fully operational and remains safe to use”.

Daly added that Instructure will continue providing assistance and guidance for institutions affected by the cyber attack.

“Rebuilding trust takes time,” he said. “We’re going to earn it back through consistent action and honest communication. We’re in this for you and your community.”

Latest Videos From

The apology comes after hundreds of schools and universities across the UK, Canada, Australia, US, and New Zealand were disrupted by a cyber attack waged by the ShinyHunters threat group.

The cloud-based academic management system is used by more than 8,000 institutions globally and has around 30 million active users.

Instructure first detected a breach on 1 May, but told customers it had taken steps to contain the incident.

In an advisory at the time, CISO Steve Proud warned data, including names, email addresses, student ID numbers, and messages between users had been impacted - which Daly confirmed in his recent blog post.

“This incident involved unauthorized access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrolment information and messages,” Daly wrote.

“Core learning data”, which includes course content, credentials, and student submissions, was not compromised in the breach, he added.

Canvas Cyber attack escalation

While Proud noted that the incident had largely been contained, the incident was compounded when ShinyHunters waged a follow-up attack, which saw user login portals defaced with a ransom note.

ShinyHunters claims to have gained access to around 3.65TB of Instructure data during the attack, which includes upwards of 275 million records from over 8,800 institutions.

Analysis of ShinyHunters activity ranks it as one of the most notorious ransomware groups in recent years. The group has claimed responsibility for a slew of attacks on major organizations such as Salesforce, Ticketmaster, and AT&T.

According to Daly, the Canvas attack saw ShinyHunters exploit a support ticket vulnerability in its Free for Teacher environment. The company has moved swiftly to contain the breach.

“We temporarily disabled Free for Teacher while we complete a full security review,” he said. “We know that’s disruptive, and we didn’t make that call lightly. But keeping the entire Canvas platform secure has to come first.”

“We didn’t deliver”

In his blog post, Daly said Instructure will continue providing updates and apologized for the company’s communication throughout.

“Over the past few days, many of you dealt with real disruption,” he wrote. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered.”

“You deserved more consistent communication from us, and we didn’t deliver,” Daly added. “I’m sorry for that.”

The attack on Canvas comes during a busy period for academic institutions, with students in the midst of exams.

A slew of reports have detailed significant disruption for students on both sides of the Atlantic over the last week, with BBC coverage noting that Mississippi State University was forced to postpone exams.

As ITPro reported, students at the University of Oxford were unable to access papers and were forced to email lecturers for documents and results.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.