Universities worldwide still struggling with fallout from Canvas cyber attack

Universities across the world are still experiencing difficulties after a cyber attack on the Canvas academic platform caused widespread disruption for staff and students.

Canvas is a cloud-based academic management system developed by Instructure, and is used by more than 8,000 institutions globally and around 30 million active users.

Staff and students at universities in the US, Canada, Australia, and the UK were severely disrupted when the platform was breached, with a ransom note allegedly from the ShinyHunters threat group appearing on login portals.

A host of UK-based academic institutions, including the Universities of Birmingham, Oxford, and Edinburgh were among those impacted in the breach.

Latest Videos From

Sources told ITPro that operations at the University of Birmingham are back online in the wake of the incident. However, the University of Oxford has warned students and staff that Canvas remains offline, with no confirmed date of return.

ITPro approached both institutions for confirmation, but did not receive a response by time of publication.

What happened with the Canvas cyber attack?

Instructure initially confirmed a breach occurred on 1 May, but had taken steps to contain and remediate the incident. According to the company, data exposed in the incident is believed to include “certain identifying information”, such as:

• Names
• Email addresses
• Student ID numbers
• Messages between users

Instructure’s chief information security officer (CISO), Steve Proud, said the company found “no evidence that passwords, dates of birth, government identifiers, or financial information were involved”.

On 2 May, Proud noted that the incident had been largely contained. However, ShinyHunters reportedly breached the company in a follow-up attack, defacing Canvas login portals at hundreds of institutions.

Analysis of the incident by Halcyon noted that ShinyHunters injected an HTML file that altered login screens, displaying a warning that the group will publish stolen data on 12 May if the company fails to pay a ransom.

On its leak site, ShinyHunters claims to have gained access to a sizable amount of company data – spanning 275 million records from 8,809 institutions, amounting to 3.65TB.

ShinyHunters ranks among one of the most prolific ransomware groups in recent years, having claimed responsibility for large-scale attacks on Salesforce customers, as well as AT&T and Ticketmaster.

Researchers at Halcyon noted that the group does not employ encryption during attack, but instead operates under a “pay or leak” extortion model.

“The group maintains a loosely decentralized structure with operational overlap among Scattered Spider (UNC3944), LAPSUS$, and Scattered LAPSUS$ Shiny Hunters (SLSH),” researchers said in a blog post detailing the incident.

ITPro has approached Instructure for comment.

Critical timing for ShinyHunters

The attack on Canvas comes at a critical time for institutions globally, with students preparing for exam season.

According to reports from BBC News, Mississippi State University was forced to postpone exams on Friday due to the incident. A meteorology student told the broadcaster that students were nearing exam deadlines when the platform was taken down.

The university has been engaging with students via email and told students it was affected by a “nationwide security incident”.

Sources told ITPro that students at the University of Oxford have been experiencing similar difficulties, with some unable to access papers and having to email lecturers for attached documents.

Universities in a host of other US states, as well as in Canada, New Zealand, and Australia have also experienced significant disruption.

The University of Sydney, for example, told students that Canvas was unavailable on Friday and warned students not to log in.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.