The Brief

Esther Mejia and Kelly Merchant had a question Friday afternoon for their professors: Where were you?

The UC Riverside public policy students were among the likely hundreds of thousands in California who lost access to the all-important academic software Canvas when it was brought down by a hacker group Thursday afternoon. Losing Canvas meant losing assignments, tests, and required reading material along with a way to communicate with instructors. The timing was especially bad for UC students, who were hunkering down for midterms or finals.

“This is a very crucial time for students to be able to access their coursework. So I definitely do think that professors should reach out,” Mejia said in an interview. “And they did not.”

Merchant heard from only one professor by Friday who addressed the downed website. She learned about the hack attack on the social media site Reddit after she was logged out of her account while finishing an assignment.

The Riverside students’ experience underscores just how central Canvas has become to higher education in California — the outage likely affected more than 1 million of the state’s university students. The hack has raised serious questions about how schools should be vetting and balancing their use of online platforms, to what extent they may be held liable for breaches, and what role policymakers should play in protecting student data and regulating edtech.

By Monday evening, the company behind Canvas had told customers, including the University of California, that it had struck an agreement with the hacking group. In an email shared with CalMatters by UC's systemwide Office of the President, the company's CEO stated that “we reached an agreement with the unauthorized actor involved in this incident” that returns data and assures it is no longer held by the attacker nor any other outside parties. Further, “we have been informed that no Instructure customers will be extorted.”

CalMatters asked the company, Instructure, if it paid a ransom, but did not immediately hear back.

The attack seems to have begun on or around April 29, when Instructure “detected unusual activity,” according to a class-action suit filed in a Texas federal court. The attack exploited a vulnerability in Canvas’s free tool for teachers.

On May 4, some Cal State campuses experienced a brief shutdown but were operational within 20 to 30 minutes, the university system said.

By May 7, Thursday, the platform was offline. The University of California system blocked access to Canvas the same day, and wrote on its website that it won’t “be restored until we are confident the system is secure. We understand this disruption is concerning.”

The hackers, a group calling itself ShinyHunters, claimed to have obtained sensitive data, including billions of messages, and threatened to release the data if they weren’t paid a ransom. The CEO of Instructure has said that core “learning data (course content, submissions, credentials) was not compromised” and Cal State has said that Canvas does not store social security numbers.

On the evening of May 7, one of Merchant’s professors, she said, shared the material students needed to complete an assignment due Friday. The professor did so using a Discord group they created for the class at the beginning of the term. Merchant appreciated the initiative, but observed that not every student checks Discord as regularly as they would their email account.

By May 9, Saturday, UC Riverside mostly restored access to the platform, with other universities coming online in the following days. Mejia had a quiz and assignment due Monday at 2 p.m. She received a note from the professor of that class only at 9 a.m. that day through Canvas, she said. The professor granted a two-day extension.

Merchant wants more professors with a communication back-up plan, especially since Canvas has been down before. “Whether it’s a cybersecurity thing or routine Canvas maintenance, it’s going to continue to be a risk. And we have to prepare for it.”

“These situations are fluid and campuses and UCOP communicated as quickly and completely as feasible,” said UC Office of the President spokesperson Stett Holbrook.

For many colleges and high schools, Canvas has become indispensable, with teachers using it to give quizzes, message students, post grades, and more.

Almost 9,000 colleges, K-12 schools and school districts, and offices of education around the world were reportedly affected by the Canvas outage, according to the hacker group and other media, along with likely millions of students and teachers. California seemed to be hit especially hard. The institutions relying on the system and affected by the cyberattack included Stanford, at least some campuses at the University of California, USC, all 22 California State University campuses and all 116 of the state’s community colleges.

The number of students ultimately affected by the breach could be staggering. The Cal State system alone enrolls more than 400,000 students. The UC system, where hackers claimed to hit six of 10 campuses, enrolls about 300,000. The hacker group listed the Los Angeles Unified and Fresno Unified school districts as among their targets — they too enroll more than 400,000 students combined.

Deputy chancellor of the LA Community College District, Nicole Albo-Lopez, told CalMatters that Canvas was being used by students in thousands of courses, including as a “repository for gradebooks, sharing of course materials, and messaging.” The district is among the largest community college districts in the country, with nearly 200,000 students annually.

Canvas, she said Friday, still hadn’t informed them of what’s been exposed in the hack. “We’re supposed to receive specific information about what was accessed in our specific system, but we have not received that yet,” she said.

‘Eggs in one basket’

One expert said the incident highlights the problem of relying on “all-in” solutions for online education tools.

The attraction of software like Canvas is that it allows institutions without technical expertise to easily manage everything on a single platform. But the hack shows the danger of relying on such centralized systems, where a breach of one company exposes the data of the countless institutions that rely on it.

“The beauty of these software as a service systems and what they sell is, ‘Hey, your staff members don't need to run this, we'll just handle it,’” said Jake Chanenson, an education technology researcher and PhD student at the University of Chicago.

In the best case, those companies have diligent cybersecurity teams protecting student data.

Many schools without tech departments, by contrast, may only be equipped to give any new tools “a cursory, at best, privacy and security assessment,” Chanenson said. Small schools, especially, may then struggle to recover from a breach or outage.

But a centralized system also means that only a single point needs to be hacked for every school that uses the software to be affected.

Chanenson, who is currently researching “critical infrastructure" in schools, said that “when you put all your eggs in one basket across schools, it makes these targets very attractive.”

One state lawmaker wants a legislative audit into California's heavy reliance on Canvas. “The Canvas breach exposes the growing risks of concentrating massive amounts of student records, academic systems and institutional operations into a single platform," said Sen. Melissa Hurtado, a Democrat from Bakersfield, in a written statement.

What now?

It may be too early to identify the consequences of the hack for schools and for Canvas. It’s still not clear, for example, how the breach happened, or the full extent of data that was compromised.

At minimum, schools will want to reassess how much information they’re willing to give over to third-party software companies in the name of efficiency. Those companies, Chanenson said, should also take a look at their policies around data collection and retention to minimize how much sensitive information they store.

“You think in your head that any data set that you have has a non-zero probability of being leaked or breached or some sort of privacy loss, then you want to start thinking about things like data minimization,” he said.

Past data breaches have led to legal consequences for the companies and institutions involved, including action by state attorneys general. There are federal legal protections for data belonging to children under 13, through the Children's Online Privacy Protection Act, as well to students, under the Family Educational Rights and Privacy Act. In California, the Student Online Personal Information Protection Act protects data for K–12 students. Lawmakers in the state are also actively considering additional data protections.

The state has grappled with previous compromises of school data. Los Angeles Unified School District has faced a series of class-action lawsuits related to data privacy breaches. Most recently, the district disclosed last year that a telehealth vendor it worked with experienced a breach.

Chanenson points out that schools are prime targets for hackers since they hold immensely sensitive data but often lack the technical prowess of other large institutions, like banks.

“They’re happening with enough of a frequency that it’s more of a when, not an if,” he said.

CalMatters reporter Adam Echelman contributed to this story.

This article was originally published on CalMatters and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

Southern California was built on radio.

"I can still hear the jingle KFWB News 98,” wrote  Taline in Los Feliz, during a recent conversation on LAist's daily news show, AirTalk, which airs on 89.3 FM. “I grew up hearing that in my dad's minivan on the way to and from school. It has a special place in my heart.”

Back in April, broadcast company Audacy announced KNX News — one of the last-remaining all-news FM stations — was leaving the FM dial where it had simulcast on 97.1 FM since 2021. The station, which is also one of the oldest in L.A., is not budging from 1070 AM where it has been on the air for more than 100 years. The move away from FM officially happened in May to make way for a new sports talk station, which Audacy officials called an area of growth for advertisers in today’s media landscape.

The move is one in a long line of changes for radio and a reminder that before podcasts, playlists and algorithms, many Southern Californians built their days around radio broadcasts.

Radio, a daily ritual

The construction of KNX

(

Herman J. Schultheis

/

Los Angeles Public Library

)

Michael Jackson, a well-known KNX, personality

(

Los Angeles Public Library

)

Larry Mantle, now in his 41st year hosting AirTalk, remembers being a kid and dreaming of what it might be like to be behind the mic at one of these radio stations.

“ I grew up with KNX," he said. “My dream job as a kid was to be an anchor on KNX or KFWB, the two local all-news radio stations, 'cause there was nothing like hosting AirTalk that even existed at that point.”

Mantle opened up the phone lines on a recent show to hear from his fellow SoCal radio lovers about the shows they miss and the memories they have. Here's what they had to say:

A love for radio, then and now  

A pilot of KMPC's traffic alert helicopter pictured with his daughter and grandson.

(

Los Angeles Public Library

)

A 1963 picture of Valley State College (now Los Angeles Valley College) preparing to launch KVCM

(

Larry Leach

/

Los Angeles Public Library

)

“When you'd walk down Hollywood Boulevard where the station was, you could hear it playing as you went down the street,” said  Olivia in Glendale about KLAC 570 with Al Jarvis.

 Larry in Yorba Linda shouted out KBCA Jazz for its 24-hour jazz, saying “When I first moved out here in '68 from Phoenix, which had like an hour a week, it was a real wonder.”

 Mark in Glassell Park emailed that he loves KCRW’s Henry Rollins, writing, “I used to bristle at his unique DJ persona, but over time, I came to love him and his crazy eclectic playlists. I find his knowledge in history and punk rock fascinating. He's a gem and a legend."

"I'd like to give a shout-out to all the DJs working at KXLU, the college station at Loyola Marymount University, said  Jeremy in Culver City in an email. “That station's been on the air for nearly 60 years. I believe it's one of the best examples of what's possible with radio."

"KFWB and KRLA back in the day when they were rock music stations —  Dr. Demento, one of my favorite on-air personalities, also had eclectic music taste," said  Carrie in Desert Edge.

“ Dr. Demento was must listening when I was a kid in junior high school at Le Conte Junior High in Hollywood,” Mantle added. “Every Sunday night on KMET, we would make sure we were listening to Dr. Demento and his funny records.”

The question remains…

An 11-year-old winning a car in a KMPC contest in 1963.

(

Los Angeles Public Library

)

Listener support is vital to any radio station, and it’s clear KNX has many lifelong fans. AirTalk listeners highlighted their support for household KNX names over the decades like Bill Keene, Melinda Lee, Mike Roy and Jackie Olden.

As KNX makes changes, many are watching closely and thinking about the future of radio.

Listeners like Tommy in La Quinta are left wondering if the radio dial will be the same…

“I’m a hardcore listener, but I don't know about casual listeners [and] if they'll tune to AM,” he said.

After months of hand-wringing, Los Angeles and LA28 have come to a tentative agreement on how Olympics organizers will reimburse the city for its expenses for the 2028 Summer Games.

According to the deal, the private Olympic organizing committee will pay upfront for the estimated cost of services that are not eligible for federal reimbursement, like trash pick-up and traffic control. Under another proposal, the city would also be able to tap an LA28 contingency fund if it isn't fully repaid by the federal government for policing costs at Olympic venues.

The agreement is nearly nine months overdue and still needs approval by Mayor Karen Bass and the City Council.

The 2028 Olympics are intended to be privately financed, and an existing city agreement with LA28 states that the Olympics organizers, not L.A., will pay for extra costs for public services in support of the Games. But L.A. is the financial back-stop for the Olympics, meaning if LA28 goes in the red, taxpayers will pick up the bill.

Beyond that, the city services agreement presents another area where L.A. could incur additional unexpected expenses for hosting the Games. L.A. City Councilmember Monica Rodriguez warned LA28 CEO Reynold Hoover earlier this year that a bad deal could "bankrupt" the city.

Jacie Prieto Lopez, an LA28 spokesperson, and Paul Krekorian, who leads the city's office of major events, said in statements that the freshly inked agreement would help deliver a fiscally responsible Games.

"Mayor Bass’ priority is that the 2028 Olympic and Paralympic Games be fiscally responsible, protect taxpayers, and benefit Angelenos for decades to come. This agreement helps deliver that commitment," Krekorian said.

But the contract between the two parties doesn't fully resolve one of the biggest areas of financial risk for the city: the enormous cost of security for an event as extensive and high-profile as the summer Olympics and Paralympics.

Organizers are counting on the federal government to pay for public safety at Olympic venues that are considered part of a "national special security event." That includes costs for LAPD staffing. LA28 has not included security costs in its $7.1 billion budget — a fact that City Attorney Hydee Feldstein Soto criticized earlier this year.

The federal government has so far allocated $1 billion for security costs for the Olympics. Exactly where those federal funds will go has not yet been determined, and there's no guarantee they will cover all of L.A.'s policing costs.

To address this, city officials have also proposed an amendment to a 2021 agreement between the city and LA28. That amendment would establish that if L.A. is not reimbursed by the federal government for all its eligible expenses, it could dip into LA28's contingency fund of $270 million before the private organizing committee could use those funds for any legacy projects.

But that bucket of money will first be used for any costs that Olympics organizers still owe if they run out of revenue — meaning if the Olympics don't turn a profit, the city's access to that money will depend on how much is left for the taking.

Civil rights attorney Connie Rice, who has been tracking the city's negotiations with LA28, told LAist the agreement was a "PR document" not a deal. She pointed out that if the federal government does not pay up for security spending as expected, L.A. could be in trouble.

" It leaves the taxpayers with a GoFundMe strategy," she said.

The city services agreement lays the groundwork for more negotiations between LA28 and the city. Each venue will require its own agreement, to be negotiated by July 1, 2027. Venues in the city of L.A. include Dodger Stadium, the L.A. Convention Center, L.A. Memorial Coliseum and the Venice Beach Boardwalk.

The City Council's ad-hoc committee on the 2028 Games will meet Tuesday afternoon to vote on the agreement.