The University of Illinois at Urbana-Champaign, Baylor and Arizona State universities all reported impacts.
Colleges and universities across the country have postponed final exams and due dates for assignments after Canvas, the learning management system used by 41 percent of North American institutions of higher education, was temporarily shut down due to a hack.
The University of Illinois at Urbana-Champaign has postponed “all final exams and assignments, including papers, projects, etc., scheduled for Friday, Saturday, or Sunday,” John Coleman said in a letter to students and staff Thursday night. He added that, “with consistency and clarity,” the rollback affects all classes—even those that don’t use Canvas.
Baylor University spokeswoman Nancy Brickhouse told students and staff her university plans to restore access to its Canvas program at 1 p.m. local time Friday—after Instructure, the company that owns Canvas, restored access to universities nationwide overnight. He said that the end of the year exams that were supposed to be on Friday have been postponed to Thursday of next week and they will be there managed online.
“We ask his faculty to create flexibility so that students who are traveling or have other post-semester commitments can complete their exams if their schedules allow,” he wrote. “We recognize that this change presents challenges in terms of test security.”
To minimize the risk – and in case Canvas goes down again – ask the academic faculty to release the grade books and download important course materials to their computers, inter alia. Postponement of exams affects even the exit dates; the deadline for students to move out is “24 hours after the completion of their final exam.”
Arizona State University has canceled all exams that were scheduled to be broadcast on Canvas on Friday and Saturday, on a local TV station 12 Stories reports, adding that instructors will update students on grade adjustments.
And the University of California System said in a statement Thursday that “out of an abundance of caution,” its president’s office “has ordered all UC locations to temporarily block or redirect access to Canvas, and access to Canvas will not be restored until we are confident the system is secure.” In an update Friday, UC said it “makes risk-based decisions about when to restore access to Canvas on campuses based on their operational needs.”
The institute’s quick responses—and the reluctance of some to tell students and staff they can return to the platform, even after Instructure brought it back online—reflect the widespread uncertainty caused by the Canvas disruption. In a statement Friday, Cliff Steinhauer, director of information security and engagement for the National Cybersecurity Alliance, said “the breach underscores that schools now rely heavily on centralized digital platforms to continue their daily operations.”
“Even if the most sensitive financial information is not disclosed, educational records, communications, and identity data can still be useful to cybercriminals for phishing, impersonation, and future attacks,” Steinhauer said. “Cybercriminals are increasingly motivated to target large technology vendors and shared service providers because compromising a single platform can provide access to thousands of organizations at once, making it more efficient and profitable than attacking individual schools … As attackers increasingly target platforms that cannot afford downtime, the education sector must expect attacks resulting from highly targeted and disruptive attacks.”
Earlier this week, the hacking group ShinyHunters said its attack on Instructure compromised the personally identifiable information of 275 million people, including students and staff, across 9,000 K-12 and higher ed institutions around the world. Canvas said it had resolved the data breach on Wednesday, but the next day, students and teachers reported seeing a message that ShinyHunters said. “break the Doctrine (again).” The group said vulnerable institutions “interested in preventing the release of their data” should “contact an online advisory firm and contact us privately at [the encrypted messaging application] TOX to negotiate an agreement. It gave the institutions and Instructure a Tuesday deadline to strike a deal.
On Thursday afternoon, Instructure said that “Canvas, Canvas Beta and Canvas Test” were not under investigation. On Friday, Instructure said Canvas is back.
Education does not provide Within Higher Ed interview on Friday or answer written questions. In the statement, said Thursday—the same day ShinyHunters’ messages appeared to users—”it discovered that an unauthorized actor involved in our ongoing security incident was making changes to pages that appeared when some students and teachers logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and continue to investigate.”
The company said on its website that “an unauthorized actor carried out this operation by exploiting an issue related to our Free Teaching accounts,” and that a similar issue “led to unauthorized access last week.”
“We’ve made the difficult decision to temporarily close our Free Teaching accounts,” Instructure said in a statement. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
