Cybercriminal group reportedly breaches Canvas, exposing student information

(Gray News) - A ransomware group has claimed to have breached the learning management system Canvas, possibly exposing millions of personal information of students, teachers and staff across the country.

Instructure, the parent company of Canvas, posted on May 1 about a cybersecurity incident that had been reported and was under investigation.

The next day, Chief Information Security Officer Steve Proud wrote that the information involved in the attack included names, student ID numbers, messages between users and email addresses.

“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions,” he wrote.

By May 6, the company reported that Canvas was fully operational and no longer saw unauthorized activity. Still, the next day, Rutgers University reported that they were aware of an unauthorized message posted to Canvas about the breach.

The Daily Pennsylvanian, a student-run newspaper at the University of Pennsylvania, reported the university’s Canvas site had been hacked and a warning from the cybercriminal group ShinyHunters was posted.

Students at other universities, like the University of California, Davis, began posting similar messages they claimed to have appeared through their institution’s Canvas portal.

The breach was reported during a time when many college and public school systems were preparing for final exams.

The extent of the breach was not immediately known, as of this story’s publication.