Instructure hack raises awareness of value of school photo privacy

The recent ransomware hack of educational software provider Instucture, provider of the Canvas platform, has raised concerns about student data safety. Fortunately, student photos were not part of this breach, but it does show the heightened impact of these events. According to NPR, the Canvas platform went offline after a data breach, temporarily leaving students and faculty at thousands of U.S. colleges — and K-12 schools — without access to course materials and communications during finals period.

“I’m sure somewhere in the country when the outage happened, there probably were people actually taking final exams on the platform when it crashed,” says Damon Linker, a senior lecturer in political science at the University of Pennsylvania, to NPR.  Thirty million users — including at half of the higher education institutions in North America — rely on Canvas to manage courses, submit assignments, view grades and facilitate communication.

But when Linker and many other users tried to do so on April 21, they met a black screen and a warning message: “ShinyHunters has breached Instructure (again),” it read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”

According to CyberNews reporter Stefanie Schappert, the Canvas attack shows how educational platforms have become critical infrastructure – and how paying off hackers still leaves major questions about whether student data is ever truly safe. Last week’s Canvas cyberattack led to a finals-week nightmare for thousands of students across North America, locking them out of exams, assignments, and coursework – all while putting them face-to-face with the notorious ShinyHunters ransomware gang – something most students would never have expected. 

With threats to release stolen data belonging to 275 million students and teachers tied to the e-learning platform, Canvas by Instructure announced over the weekend it paid off the seasoned hackers, alongside a “digital confirmation of data destruction” from ShinyHunters themselves.

The undisclosed ransom demand was reportedly paid to ShinyHunters as part of an agreement intended to prevent an imminent leak affecting schools, from kindergarten classrooms to universities worldwide, according to Schappert. “But now the breach is becoming something much bigger: a test of whether the more than 8,000 schools caught up in the hack can trust a hacker group’s word that stolen student data was actually destroyed. While it may have been enough to stop an immediate leak, it does not erase the larger problem – once student data is stolen, control is gone.”

Schappert notes the December 2024 breach of edtech software provider PowerSchool didn’t teach any lessons.

“After PowerSchool allegedly forked over a $60 million ransom demand, the 19-year-old attacker later turned to extorting the 15,000 North American school districts using the platform – despite earlier promises to delete the stolen data,” notes Schappert. “Fast forward to the Canvas breach. The company says there is no evidence the stolen information was publicly leaked or retained after the payment agreement.”

Canvas revealed compromised data included full names, email addresses, student IDs, course and enrollment data, plus “billions of private messages” exchanged on the platform. 

And while passwords, Social Security numbers, financial information, grades, coursework submissions, and student files were not exposed, cyber experts say once student data falls into the hands of criminal actors, “the implications for identity theft, targeted social engineering, and even safeguarding are serious and long-lasting.”