More than 40 percent of colleges and universities use Canvas.
Photo credit by Justin Morrison/Inside Higher Ed | SuperCubePL/iStock/Getty Images
The higher education sector received another reminder over the weekend that it remains a prime target for cybercriminals.
Hackers who stole information from Ticketmaster, Google and several top universities started the month of May by breaching Instructure; The education technology company owns the most popular learning management system, Canvas, which is used by 41 percent of higher education institutions across North America to deliver courses.
Hacking group ShinyHunters—which has also been linked to recent data breaches at the University of Pennsylvania and Princeton and Harvard Universities—says its attack on Instructure affected nearly 9,000 schools worldwide (including a mix of K–12 and higher education institutions) and compromised personal information identifying 275 million students, teachers and students.
Although Instructure says it contains the attack, experts say it points to the increased value cyberattackers are seeing in going after third-party vendors instead of individual institutions.
“This breach follows a clear pattern we’ve observed over the past 18 months,” said Doug Thompson, senior academic architect and director of solutions engineering for Tanium, a cybersecurity management company. “Instead of targeting individual campuses, attackers are increasing the supply chain of data to platforms that reside under thousands of institutions at the same time.”
This is not the first time that ShinyHunters have harassed education and technology vendors. Last fall, hackers affiliated with the group breached Salesforce and sought to steal billions of customer records from multiple companies—including Instructure, which has 8,000 affiliates. In March, ShinyHunters infiltrated Infinite Campus, a widely used K–12 student information system. And in April, it took credit for accessing internal data from publisher McGraw Hill.
“It’s the math of a bank robber who just found out where the armored truck is parked. Why grab a hundred branches if the truck is going to visit them all? The real danger is now downstream,” said Thompson. “With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be the norm. It will refer to real lessons and real conversations, making it more likely to be successful.”
‘PAY OR WIN’
It’s unclear exactly how ShinyHunters got into Instructure, but late last week Canvas users began reporting their authentication keys being compromised. Soon after, Instructure got a word from ShinyHunters: “PAY OR BE REWARDED.”
If Instructure didn’t pay, it could expect the leak of “several billions of private messages between students and teachers and other students involved, containing personal conversations and more.” [personal identifying information],” ShinyHunters wrote in a ransom note published on May 3 by the website Ransomware.live, which tracks and monitors victims of ransomware groups and their work. [digital] problems you will face,” warning the company to “make the right decision” to avoid becoming “the next topic.”
Although Instructure did not respond Within Higher EdRequests for comment on the fine and other specific questions about the attack, prompted a series of status updates written by Steve Proud, Instructure’s chief information security officer. On Friday, Proud confirmed that the breach was “perpetrated by a criminal threat actor” and said the company was “investigating the incident with the help of external intelligence experts.”
The next day, Proud wrote that Instructure believes it contained the attack and has taken steps to revoke the privileged credentials and access tokens associated with the affected systems, patches have been sent to improve system security, rotate some keys-“although there is no evidence that they have been misused”-and implement increased monitoring on all platforms.
“While we are continuing our ongoing investigation, so far, indications are that the data involved contains certain information that identifies users at the affected institutions, such as names, email addresses, and student ID numbers, as well as messages between users. “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any agencies involved.”
That is in line with the reporting of the news source The Tech Crunchlooked at a sample of data stolen from a university in Tennessee and one in Massachusetts provided by ShinyHunters. According to the source, the sample data included messages containing names, email addresses and other phone numbers but “did not contain passwords or other types of data that Instructure says were not affected by the breach.”
‘Rich Targets’
Education seems to be restoring its systems. As of the latest update posted on Monday, Proud wrote that Canvas Data 2 and Beta “should now be available to all customers,” while another version of the LMS, Canvas Test, is still in development.
Nevertheless, this incident served as a warning to the industry.
“The Canvas breach is a reminder that no platform is insecure: There are many widely used systems that remain attractive targets for sophisticated bad actors, including nations,” said Anton Dahbura, executive director of the Johns Hopkins University Information Security Institute. “Educational platforms are especially rich targets given the collection of personal, financial and global student data.”
What’s most troubling about the Canvas breach is that it shows how “even organizations that do the right things can still be exposed by honest vendors,” he added. “We need a systematic approach to cyber security. Stronger defenses, better supply chain accountability and the recognition that data breaches are not isolated incidents, but part of a broader system that threatens the country.”
