Canvas Goes Down: The Instructure Inc. Breach
Source: Pexels, Lucas Andrade
By Gabriel Panza
Read time: 7 minutes 30 seconds
Data protection remains essential in a world where most organizations and institutions rely on digital platforms as a means to facilitate their operations. While it might just feel like an abstract technical issue, the protection of our personal data is what allows us to trust digital systems that we use every day, including university websites, social media platforms, and online learning tools. For students, this trust is fundamental because most of university life is facilitated through online spaces.
As students at Maastricht University know, Canvas is a central part of their academic life. It is used to access course materials, receive announcements, submit assignments, and communicate about course content. Canvas is operated by Instructure, a technology company based in the United States that also runs platforms like Mastery and Parchment to universities around the world. European universities like Maastricht University rely on US-based companies for designing their digital infrastructure, including their learning platforms. Since these platforms store large amounts of educational data, the recent hack at Instructure raises serious concerns about the security of students' personal information, the European reliance on US-based technology companies for data storage, and the vulnerability of digital education platforms.
Instructure Holdings, Inc., Public domain, via Wikimedia Commons
On May 4th, Instructure reported that unauthorized entities had gained access to their systems and that data from various educational institutions had been stolen. Instructure responded immediately; however, the intensity of these cyberattacks became clear when a hacker group known as ShinyHunters claimed responsibility for this breach and made various demands. ShinyHunters reportedly sent a message with a link to a list of all the schools it claimed were impacted by the breach, andthe hackers demanded a settlement, stating that Instructure had until the 12th of May before all the data would be leaked. For this reason, Instructure shut down its learning platform on the evening of May 7th.
This impacted third parties working with Canvas, such asTurnitin, whose own operations were stunted. Universities were also impacted, with somecanceling scheduled exams and assignment deadlines. Some universities are taking measures into their own hands by advising staff to be mindful of unsolicited emails or messages stemming from Canvas.
Naturally, Instructure had to reach a consensus with the hackers for its operations to recommence. Hence, onMay 11th, Instructure announced that it had reached an agreement with the hackers, allowing the stolen data to be returned. To make sure the hackers did not have a copy of this data, they reportedly provided proof of its destruction, likely digital evidence. This allows the threat to educational institutions’ data to be ceased. Eventually, this led to Canvas reopening on the 12th of May.
Who are the ShinyHunters?
These cyberattacks are not unique to Instructure. In fact, major companies such as Google, Louis Vuitton, and Adidas were previously breached by the same hacker group within 12 months. These companies are not lacking in security teams; in fact, they are among the best, well-resourced organizations in the world. The hacker group behind all these attacks? A group known as ShinyHunters.
ShinyHunters is a well-known cybercriminal group that gained notoriety in 2020 by executing large-scale data breaches and selling stolen data. In May 2020, ShinyHunters first appeared on dark web forums offering records of stolen data from major companies. Their main business model revolves around a “pay or leak” system where they contact their victims and demand a ransom. From there, the company either pays the ransom and receives its data back or refuses the ransom, and the data is auctioned on illegal forums. Luckily, authorities have taken action to track and arrest members of ShinyHunters.
For Instance, Moroccan authorities identified Sebastian Raoult as a participant of ShinyHunters, causing millions of dollars to be lost to victim companies and stealing cryptocurrency. Raoult was extradited to the US, where he was linked to 60 separate data-hacking cases between April 2020 and July 2021. Raoult had created specific websites that impersonated the login pages of legitimate businesses, while sending emails to company employees that appeared to come from those businesses and contained links to those websites. As victims provided their login credentials, the conspirators were able to access the victims' accounts and the data stored there, and potentially other company networks or third-party service providers. This is a significant threat to global cybersecurity, as companies such as Instructure may be forced to comply with ransom demands that incentivize further attacks, strengthen ShinyHunter’s criminal network, and set a dangerous precedent for data breaches.
EU cybersecurity prevention and response measures
Considering the magnitude of ShinyHunter’s cybercrimes, the European Union is taking action to prevent data leakage and phishing. Data protection is fundamental in the EU, as regulations such as the GDPR aim to protect individuals’ personal data, safeguard privacy rights, and ensure that organizations handle sensitive information with transparency and care.
Hence, it is no surprise that the European Commission is encouraging its cybersecurity service (CERT-EU) to publish blog posts to inform the European community about a cybersecurity incident affecting the Commission’s website, “Europa.eu”. This measure is taken in the interest of transparency and to ensure that all European citizens, institutions, and vulnerable organizations are aware of the incident and the steps being taken to prevent similar attacks in the future.
Currently, the EU is improving institutional cybersecurity by enhancing incident reporting and reducing potential weaknesses in cloud and supply chain systems. For example, EU institutions are prohibited from handling serious cyberattacks internally, as they must notify CERT-EU swiftly so the incident can be contained and thoroughly investigated. Additionally, the EU is also focusing on technical containment of hacker group activity. Once the European Commission is aware of cybersecurity attacks or data compromises, it takes measures to revoke compromised private data, disable newly created access keys, and block any illegitimate access. This is seen when Amazon Web Services was breached earlier this year.
Beyond these technical measures, the EU is seeking to reduce harm by increasing transparency, communication mechanisms, and data protection procedures. These goals are mainly achieved by informing the general public about the dangers of such cyberattacks and ensuring that the relevant data protection officers are promptly notified of new attacks or data breaches.
Conclusion
Overall, the Instruction breach shows us how quickly cybersecurity incidents can disrupt university life and threaten the trust students place in platforms like Canvas. It also reminds us that student data is not just technical information but also personal and educational information that should be preserved to support the functioning of our university lives. As universities like Maastricht continue to rely on digital platforms, including those based in the US, issues of cybersecurity, transparency, and swift response mechanisms remain priorities.
