Personalised phishing attacks likely after global Canvas hack

Australasian universities are scrambling to determine whether they have been directly affected by a cyberattack on the Canvas learning management system which has compromised information security at up to 9,000 educational institutions around the globe.

The platform’s vendor, Utah-based edtech company Instructure, reported on 1 May that it had “experienced a cybersecurity incident perpetrated by a criminal threat actor”.

The hackers – a group known as “ShinyHunters”, previously linked with data theft from Ticketmaster and Google as well as the universities of Pennsylvania, Princeton and Harvard – threatened to leak “billions of private messages” unless the company paid an undisclosed ransom by 6 May, according to Inside Higher Ed.

Instructure said the incident appeared to have been “resolved” by 6 May, with Canvas now “fully operational” and no signs of “ongoing unauthorised activity”. But the hackers had potentially obtained data from the tens of millions of Canvas users at the company’s 8,000-plus customers, including top global universities and “every Ivy League school”.

Instructure’s chief information security officer, Steve Proud, said the data included “certain identifying information” – including names, email addresses and student ID numbers – as well as messages exchanged by users. There was no evidence of theft of passwords, dates of birth, “government identifiers” or financial information.

Institutions in Australia, where Canvas is widely used by schools, colleges and universities, are trying to determine their exposure. The University of Sydney said it had received confirmation that it had been impacted, while RMIT University said it was working with the vendor to find out if its data had been involved.

The University of Auckland said its cybersecurity team was also working with Instructure to gauge the impacts. The university said there was no suggestion that any student assessment data was involved, but the inboxes and discussion messages of past and current users may have been compromised. It said no data appeared to have been released publicly, but staff and students should be alert to “phishing” if it turned out that their information had been seized.

Queensland education minister John-Paul Langbroek confirmed that universities and schools in his state had been impacted, and people who had used Canvas at any time over at least the past six years could be affected. “Early advice is this will impact more than 200 million people and more than 9,000 institutions worldwide.”

Columbia and Rutgers universities are among the overseas institutions that have warned staff and students about the breach. “Be alert to unsolicited emails or messages appearing to come from Canvas or your institution, particularly any requesting login credentials or personal information,” urged Brian Sandoval, president of the University of Nevada, Reno.

IHE reported that the incident demonstrated that even “trusted” third party providers were attractive targets for hackers and could elevate universities’ vulnerability to cyberattack. “Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once,” said Doug Thompson of Seattle-based cybersecurity management company Tanium.

“With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic. It will reference real courses and real conversations, which makes it far more likely to succeed.”

john.ross@timeshighereducation.com