Data from 275 million users of the Canvas learning platform worldwide is believed to have been stolen in a cyberattack. The hackers are threatening to publish some of the data if the software’s developer does not pay a ransom.
(Photo: Justyna Botor)
Names, email addresses, student numbers and correspondence between students and teachers were reportedly stolen in a hack on the US company Instructure, the creator of Canvas. The company announced this last Friday.
The hacker group ShinyHunters, previously involved in the major Odido data breach, has claimed responsibility for the hack and claims to be in possession of the data of 275 million students, teachers and other users. The group claims that Dutch students are also among them.
At least nine Dutch institutions
Teachers from at least seven Dutch universities and two universities of applied sciences use Canvas to share course materials and assignments with students, for example. These include the two universities in Amsterdam, Erasmus University, Tilburg University, Maastricht University, the University of Twente and TU Eindhoven, as well as Utrecht and Fontys University of Applied Sciences.
A spokesperson for TU Delft has confirmed that the university does not use Canvas, but instead relies on the alternative platform Brightspace. TU students who are undertaking a dual degree programme at one of the affected universities (such as Erasmus University) are advised to follow the updates issued by the relevant institution.
Students can view their timetables or grades on Canvas. They can also send messages to classmates or teachers within the Canvas environment. All that data (but not the passwords) is believed to be in the hands of the hackers.
It is not yet known how ShinyHunters managed to obtain data from so many institutions. Instructure must pay the ransom by Wednesday at the latest, otherwise the hackers are threatening to make the student data public. The hacking group did the same earlier this year with data belonging to Odido customers when the telecoms company failed to pay the demanded €1 million.
Used worldwide
The US-based company Instructure was founded in 2008. Its learning management system, Canvas, is the company’s core business. Around 9,000 educational institutions worldwide use it. In 2024, Instructure was acquired by the investment fund KKR for $4.8 billion.
A key feature of Canvas is that the software does not run on the servers of universities and colleges themselves, but on Amazon’s AWS servers. Institutions are given their own login details, but Instructure manages the software and the data.
According to a privacy audit carried out last year by the IT cooperative SURF, data from one educational institution is, in principle, strictly separated from that of other institutions. However, this apparently did not prevent hackers from stealing the data of millions of users.
Negotiating
According to broadcaster BNR (in Dutch), ShinyHunters is now reportedly urging educational institutions to negotiate ransom payments directly with the hackers, so that their data remains confidential. This could suggest that Instructure does not wish to pay a ransom.
The University of Twente has stated in a message to users that it does not know exactly what data has been stolen. Following a software update this weekend, students and lecturers should be able to use Canvas safely again. The same applies to Maastricht University, according to a spokesperson.
HOP, Olmo Linthorst / Delta, Marjolein van der Veldt
HOP
Hoger Onderwijs Persbureau
Do you have a question or comment about this article?
redactie@hogeronderwijspersbureau.nl
Comments are closed.