Major universities in Canada are among thousands that have been impacted by a worldwide data breach involving the learning management system Canvas.
Canvas’s U.S.-based parent company, Instructure, first notified users about a “cybersecurity incident perpetrated by a criminal threat actor” on May 1.
On May 2, the company shared that the Canvas data breach involved user information, including names, email addresses, and student ID numbers, as well as messages among users.
“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions,” stated Instructure.
An Instructure spokesperson told Daily Hive on Friday that the unauthorized actor involved in the security incident made changes to pages that appeared when some students and teachers were logged in. They confirmed that the cyberattacker exploited an issue related to its Free-For-Teacher accounts.
“As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts,” stated the spokesperson. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
As of Wednesday, the company says Canvas is fully operational, and the data breach has been resolved. It advised users to follow security best practices, including using multifactor authentication on accounts and reviewing admin access.
Universities impacted by the Canvas data breach
Several universities in Ontario were affected. On Thursday, the University of Toronto shared a notice on its community page alerting users of a cybersecurity incident involving Quercus, which is what Canvas is known as at the school.
“The parent company of Canvas (known at U of T as Quercus) is managing a cybersecurity incident. Multiple universities are affected. We are in contact with the vendor to pursue a resolution,” it reads.
On Friday, U of T announced that it has suspended access to Quercus until further notice “as a precautionary measure.”
“Some users may still be able to access Quercus. Use of the service is not recommended at this time,” reads the notice.
It added that there is no evidence to suggest that other U of T systems or assets have been compromised and provided a list of information it knows is safe.
OCAD University also notified students about the Canvas data breach and advised them to be aware of phishing messages that claim to come from Canvas, Instructure, or OCAD.
“Especially messages asking you to click a link, re-enter your password or provide personal information,” stated the university.
Ontario Tech University’s website also has a notice regarding the cybersecurity incident and advises users to report suspicious activity.
In western Canada, the University of Alberta shared an update Friday morning, stating that Canvas is still offline and that it is working with Instructure to learn more.
“University of Alberta Canvas users should not attempt to access Canvas until further notice,” reads the notice. “More information about how this will affect courses and exams, and other updates will continue to be provided through this page as new information becomes available.”
UBC also warned its students of the cyberattack on May 7.
“The university is working to maintain learning continuity for courses starting next week and will be contacting affected community members in the coming days,” reads a notice from Thursday evening.
The school also warned staff and students of phishing and advised them to use strong passwords and enable multifactor authentication.
In an email to Daily Hive, SFU said it’s currently investigating the situation, adding that the incident affected around 9,000 universities worldwide.
Daily Hive has reached out to McGill University and the University of Calgary for confirmation on whether they were impacted by the Canvas data breach.
Who might be behind the Canvas data breach?
Cybersecurity journalists from Hackread reported that the incident is linked to the cybercrime group ShinyHunters.
The publication says it obtained the full list of affected institutions impacted by the Canvas data breach.
“It is massive, indicating the vast scale of the theft and impacting around 15,000 institutions across the U.K., Europe, and the U.S.,” reads a report from the news outlet.
“ShinyHunters claim that they have stolen 3.65 terabytes of data. This includes a whopping 275 million records, and it isn’t just basic info, as it contains billions of private messages between students and teachers.”
Some of the universities Hackread mentioned that were on the list include:
- University of Oxford
- University of Melbourne
- University of Cambridge
- University of Hertfordshire
- University of British Columbia
- Harvard, Stanford, and Columbia University
With files from Amir Ali
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.
