Cyberattack on Canvas potentially compromises millions of users’ personal information – KUTV
SALT LAKE CITY (KUTV) — Canvas, a learning management system, experienced a cyberattack that potentially compromised millions of users’ personal information.
The Utah State Board of Education told 2News that the tool is used very widely across Utah schools. It contains records of the courses, homework and grades. It is also used for messaging between students and teachers and teachers and parents.
“We have a state contract that allows K-12 schools to utilize the product if they wish,” said Katy Challis, Director of Privacy of the Utah State Board of Education. “Not all schools use Canvas, but I would say most do.”
MORE | Utah scam prompts warning after callers ask victims to cut up cards, mail in chips
Several higher education institutions also use the software.
Challis confirmed that she has been in communication with Instructure, Canvas’s parent company, but information remains limited.
“We don’t currently have the information [of which schools or districts were impacted] at this time,” Challis said. “Currently, school districts and charter schools are reporting to us if they’ve been impacted by this incident.”
The data that was stolen includes names, email addresses, student ID numbers, and messages sent through the program.
Financial information, dates of birth, social security numbers, and passwords were not compromised.
“The risk of identity fraud as a result of this incident is probably lower than it would be if more sensitive data elements had been stolen,” Challis said.
She acknowledged, however, that this may still be unsettling for parents, teachers, and students.
“No one wants to have their data out on the dark web or held by a third-party actor they don’t know or trust,” Challis said.
According to several technology-focused publications, the known hacker group “ShinyHunters” claimed credit for the attack.
On the cybercrime group’s dark website, they claimed:
“Nearly 9,000 schools worldwide effected. 275 million individuals’ data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII.”
Challis said Instructure informed them that the incident has been resolved and they are going to further investigate the scope.
“We don’t know the details yet about what the vulnerability was, and we suspect that information will be forthcoming,” she said.
Per Utah law, parents must be notified. Challis said this will likely happen in the next weeks or months once more information about the situation is understood.
“I’m sure Instructure is going through their logs and going through any records they have to identify just exactly what data elements were compromised, for which school, and for how many students,” Challis said.
She said that while the risk of identity theft is very low, this data may be used to fuel phishing scams.
“I want parents to know that schools take data protection seriously, and they will be reaching out to parents soon with more information about the incident,” Challis said.
_____
