Canvas Paid ShinyHackers Ransom for the Largest Student-Involved Security Breach in History

Siri Kolanupaka, Opinion Editor | 53 Views

Shinyhunters’ message replaced the Canvas home screen and included a list of schools that were impacted by the security breach on Infrastructure, which compromised 3.65 terabytes of data. “We have to be more educated on these data breaches and how to be safe online,” junior Lucas Chu said.

Shinyhunters, a black-hat criminal extortion group, led a cybersecurity breach rendering thousands of students’ data nationwide vulnerable through an attack on the widely used classroom platform Canvas on May 7; Canvas paid the ransom on May 2, although the amount was not disclosed.

The data breach did not risk students’ sensitive data, according to the IUSD Information Technology Department. In a letter sent out across the district, IUSD confirmed that the group was only able to access student and teacher names, email addresses, system messages and student IDs. Personal information such as Social Security numbers, passwords and addresses were not directly compromised.

“These criminal hacking organizations have access to our information, even though we did not consent to our data being leaked,” junior Lucas Chu said. “Because everything is growing to become digital, it’s a lot harder for us to keep our personal information safe.”

The breach is considered the biggest student data privacy disaster to date, partially because of the dependency of educational institutions on the platform itself. According to Ransomware, a website that tracks online cyberattack groups’ activity, 3.65 terabytes of data belonging to over 275 million individuals were being held hostage by the group. For English teacher Desmond Hamilton, the event incited him to find workarounds to the learning technology’s temporary outage.

“The shutdown was definitely an inconvenience for a number of reasons,” Hamilton said. “We use Canvas at Portola as one of our primary learning management systems, so not having it accessible to students called for teachers to make adjustments to lesson planning.”

ShinyHunter is suspected of having initially breached Canvas on April 29. The Canvas website detected this activity, and its parent company, Instructure, publicly announced the cybersecurity incident. However, ShinyHunters forced Canvas to shut down just weeks later, disrupting many students’ study schedules during finals season.

“It blocked all of my assignments that were on Canvas, so I couldn’t access them,” junior Aairah Ali said. “It made studying for finals and AP tests a lot harder because everything was blocked.”

As of May 12, Instructure has paid an undisclosed amount to ShinyHunters; in exchange, the group confirmed that it will not target Instructure in the future and that access to the website will be restored in a statement from Techcrunch. Instructure did not state the sum of money that was paid as settlement.

Donate to Portola Pilot

$375

$500

Contributed

Our Goal

Your donation will support the student journalists of Portola High School. Your contribution will allow us to purchase equipment and cover our annual website hosting costs.

About the Contributor

Siri Kolanupaka, Opinion Editor

Siri Kolanupaka is the Opinion Editor for her second year on the Portola Pilot. She is excited to be able to write about current events. In her spare time, she likes spending unnecessary amounts of time window shopping and trying different coffee shops with her friends to see which one has the best drinks. Her favorite drink at the moment is matcha (she’s not performative though, she promises!)