A massive cyberattack that crippled the Canvas online learning platform as finals were getting underway at many universities could leave them scrambling for as long as a month — and expose the education software giant to major legal and financial fallout, cybersecurity experts told The Post.
The breach of the popular learning platform, owned by Instructure, disrupted coursework, exams and student communications at universities and school systems across the US and beyond after hackers linked to the notorious ShinyHunters group said they infiltrated the system and exposed sensitive user data. The group targeted almost 9,000 schools and accessed data from over 275 million people, according to a ransom letter shared online.
Instructure said names, email addresses, student ID numbers and private messages were compromised, though it added that there was no evidence passwords, Social Security numbers or financial data were exposed.
Now schools are facing a daunting recovery process that could stretch weeks beyond the initial outage.
“The big question is how could schools have prevented this,” said Don Beeler, head of TDR Technology Solutions, a New York-based school cybersecurity and threat-prevention company.
“There is technology available that could reduce the impact on schools. The ones that have it will be up and running faster.”
Beeler said institutions may have to assume the breach spread beyond Canvas itself and infected their internal systems.
“Depending on the breach, most schools will need to assume this has impacted other internal systems,” he told The Post.
“Depending on the school’s cybersecurity footprint this could mean it could take one to four weeks to resolve. They may have to shut down every computer and clean it before turning anything back on.”
The cyberattack came during one of the most stressful times of the academic year, with everyone from profs and adjuncts to students relying on Canvas for final exams, grading and assignment submissions.
Several universities temporarily disabled access to the platform while their IT departments raced to determine the extent of the data breach.
Instructure said it detected unauthorized activity on April 29 and later tied the intrusion to an issue involving its “Free-For-Teacher” accounts.
The company took Canvas offline on Thursday after login pages were allegedly altered, triggering widespread outages and panic across campuses around the world.
The incident is already raising questions about whether Instructure and affected schools carried enough cyber insurance coverage to absorb the fallout.
“Cyber insurance coverage will be a big topic,” Beeler told The Post. “The policies vary. Will they cover this, will be a big question.”
Legal exposure could become another major headache.
“The other issue is the fines that Canvas could be exposed to as a result of allowing PII of students to be exposed,” Beeler said, referring to personally identifiable information.
“State laws vary on this issue. Some can be substantial if it is found that they were exposed.”
The company said it has engaged outside forensic experts and notified law enforcement agencies including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency.
Schools, meanwhile, have warned students and faculty to watch for phishing emails and scams tied to the breach.
Experts say attacks on centralized education platforms can be especially devastating because universities often rely on sprawling networks of third-party tools connected to student records, coursework and communications systems.
“Same issue for Canvas,” Beeler told The Post.
“Once we understand the breach, it will become more obvious what specific tech could have prevented the breach.”
The hack has already intensified scrutiny over whether schools were overly dependent on a single platform for key academic operations.
Some institutions reportedly shifted to email, Microsoft Teams and cloud-sharing systems after Canvas went dark.
Others waived late penalties and delayed exams as students lost access to assignments and course materials.
Instructure has not disclosed how many institutions were directly affected, though the company says Canvas is used by more than 8,000 schools and universities globally.
The company said most services were restored by Thursday, though some maintenance issues remained under investigation.
Questions remain about the full scope of the breach, whether additional systems were compromised and whether regulators or state attorneys general will launch investigations into the exposure of student data.
“Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in,” a rep for the company said in a statement to The Post.
“Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate.”
The company added that it has “confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts.”
“As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
