There are allegations that a hacker who breached an education technology platform called Instructure has obtained over 280 million records of information linked to students and staff from nearly 9,000 colleges, school districts and online education providers.
Instructure is a cloud-based education technology firm best known for its Canvas learning management system (LMS). Schools and universities use the Canvas LMS to track and administer student coursework, assign homework and grades, communicate with students and teachers, and other academic tasks.
It appears last week, after initially stating it would investigate a suspected cyber attack, Instructure revealed that the company experienced a data breach. According to Instructure's initial announcement, the data breach allowed hackers to access usernames, email addresses and private messages exchanged through Canvas.
ShinyHunters extortion gang reportedly took credit for the attack and claim they accessed over 280 million records related to students, teachers and school employees. After claiming responsibility for the attack, ShinyHunters shared a listing of 8,809 school districts, universities and education companies whose Canvas accounts appear to have been compromised by the attack. ShinyHunters provided Unsurfaced with a count of how many records were potentially exposed by each organization.
Some organizations may be listed with only tens of thousands or dozens of thousands of records while others are listed with millions of records. Unsurfaced.com is not publishing the names of any of these institutions based upon this information because we cannot confirm whether or not those listed were impacted by the breach.
According to ShinyHunters, the group utilised Canvas data export features including data access portal (DAP) queries, provisioning reports, user APIs and harvested hundreds of gigabytes of user records, messages and enrollment data.
Although Instructure did not respond to repeated requests for comment on the matter, several universities released public statements concerning the possible implications. "CU is aware of a data breach involving Instructure, the parent company of Canvas, our learning management system. This reported data breach is a national event impacting multiple institutions." stated a warning from the University of Colorado Boulder.
"At present, Rutgers has not been informed of any adverse effects caused directly to their campus. Canvas continues to function and remain operational for Rutgers faculty, staff and students," said Rutgers.
"An investigation into the nature and scope of the breach and which systems were affected is presently ongoing. At this point in time, it has not been determined whether student and/or employee data belonging to Tilburg University has been affected. Questions have been asked of the vendor to further clarify," states Tilburg University.
Our team reached out to Instructure with additional inquiries relative to this issue. We will continue to update this article should we receive a response from Instructure.
