The Brief

Esther Mejia and Kelly Merchant had a question Friday afternoon for their professors: Where were you?

The UC Riverside public policy students were among the likely hundreds of thousands in California who lost access to the all-important academic software Canvas when it was brought down by a hacker group Thursday afternoon. Losing Canvas meant losing assignments, tests, and required reading material along with a way to communicate with instructors. The timing was especially bad for UC students, who were hunkering down for midterms or finals.

“This is a very crucial time for students to be able to access their coursework. So I definitely do think that professors should reach out,” Mejia said in an interview. “And they did not.”

Merchant heard from only one professor by Friday who addressed the downed website. She learned about the hack attack on the social media site Reddit after she was logged out of her account while finishing an assignment.

The Riverside students’ experience underscores just how central Canvas has become to higher education in California — the outage likely affected more than 1 million of the state’s university students. The hack has raised serious questions about how schools should be vetting and balancing their use of online platforms, to what extent they may be held liable for breaches, and what role policymakers should play in protecting student data and regulating edtech.

By Monday evening, the company behind Canvas had told customers, including the University of California, that it had struck an agreement with the hacking group. In an email shared with CalMatters by UC's systemwide Office of the President, the company's CEO stated that “we reached an agreement with the unauthorized actor involved in this incident” that returns data and assures it is no longer held by the attacker nor any other outside parties. Further, “we have been informed that no Instructure customers will be extorted.”

CalMatters asked the company, Instructure, if it paid a ransom, but did not immediately hear back.

The attack seems to have begun on or around April 29, when Instructure “detected unusual activity,” according to a class-action suit filed in a Texas federal court. The attack exploited a vulnerability in Canvas’s free tool for teachers.

On May 4, some Cal State campuses experienced a brief shutdown but were operational within 20 to 30 minutes, the university system said.

By May 7, Thursday, the platform was offline. The University of California system blocked access to Canvas the same day, and wrote on its website that it won’t “be restored until we are confident the system is secure. We understand this disruption is concerning.”

The hackers, a group calling itself ShinyHunters, claimed to have obtained sensitive data, including billions of messages, and threatened to release the data if they weren’t paid a ransom. The CEO of Instructure has said that core “learning data (course content, submissions, credentials) was not compromised” and Cal State has said that Canvas does not store social security numbers.

On the evening of May 7, one of Merchant’s professors, she said, shared the material students needed to complete an assignment due Friday. The professor did so using a Discord group they created for the class at the beginning of the term. Merchant appreciated the initiative, but observed that not every student checks Discord as regularly as they would their email account.

By May 9, Saturday, UC Riverside mostly restored access to the platform, with other universities coming online in the following days. Mejia had a quiz and assignment due Monday at 2 p.m. She received a note from the professor of that class only at 9 a.m. that day through Canvas, she said. The professor granted a two-day extension.

Merchant wants more professors with a communication back-up plan, especially since Canvas has been down before. “Whether it’s a cybersecurity thing or routine Canvas maintenance, it’s going to continue to be a risk. And we have to prepare for it.”

“These situations are fluid and campuses and UCOP communicated as quickly and completely as feasible,” said UC Office of the President spokesperson Stett Holbrook.

For many colleges and high schools, Canvas has become indispensable, with teachers using it to give quizzes, message students, post grades, and more.

Almost 9,000 colleges, K-12 schools and school districts, and offices of education around the world were reportedly affected by the Canvas outage, according to the hacker group and other media, along with likely millions of students and teachers. California seemed to be hit especially hard. The institutions relying on the system and affected by the cyberattack included Stanford, at least some campuses at the University of California, USC, all 22 California State University campuses and all 116 of the state’s community colleges.

The number of students ultimately affected by the breach could be staggering. The Cal State system alone enrolls more than 400,000 students. The UC system, where hackers claimed to hit six of 10 campuses, enrolls about 300,000. The hacker group listed the Los Angeles Unified and Fresno Unified school districts as among their targets — they too enroll more than 400,000 students combined.

Deputy chancellor of the LA Community College District, Nicole Albo-Lopez, told CalMatters that Canvas was being used by students in thousands of courses, including as a “repository for gradebooks, sharing of course materials, and messaging.” The district is among the largest community college districts in the country, with nearly 200,000 students annually.

Canvas, she said Friday, still hadn’t informed them of what’s been exposed in the hack. “We’re supposed to receive specific information about what was accessed in our specific system, but we have not received that yet,” she said.

‘Eggs in one basket’

One expert said the incident highlights the problem of relying on “all-in” solutions for online education tools.

The attraction of software like Canvas is that it allows institutions without technical expertise to easily manage everything on a single platform. But the hack shows the danger of relying on such centralized systems, where a breach of one company exposes the data of the countless institutions that rely on it.

“The beauty of these software as a service systems and what they sell is, ‘Hey, your staff members don't need to run this, we'll just handle it,’” said Jake Chanenson, an education technology researcher and PhD student at the University of Chicago.

In the best case, those companies have diligent cybersecurity teams protecting student data.

Many schools without tech departments, by contrast, may only be equipped to give any new tools “a cursory, at best, privacy and security assessment,” Chanenson said. Small schools, especially, may then struggle to recover from a breach or outage.

But a centralized system also means that only a single point needs to be hacked for every school that uses the software to be affected.

Chanenson, who is currently researching “critical infrastructure" in schools, said that “when you put all your eggs in one basket across schools, it makes these targets very attractive.”

One state lawmaker wants a legislative audit into California's heavy reliance on Canvas. “The Canvas breach exposes the growing risks of concentrating massive amounts of student records, academic systems and institutional operations into a single platform," said Sen. Melissa Hurtado, a Democrat from Bakersfield, in a written statement.

What now?

It may be too early to identify the consequences of the hack for schools and for Canvas. It’s still not clear, for example, how the breach happened, or the full extent of data that was compromised.

At minimum, schools will want to reassess how much information they’re willing to give over to third-party software companies in the name of efficiency. Those companies, Chanenson said, should also take a look at their policies around data collection and retention to minimize how much sensitive information they store.

“You think in your head that any data set that you have has a non-zero probability of being leaked or breached or some sort of privacy loss, then you want to start thinking about things like data minimization,” he said.

Past data breaches have led to legal consequences for the companies and institutions involved, including action by state attorneys general. There are federal legal protections for data belonging to children under 13, through the Children's Online Privacy Protection Act, as well to students, under the Family Educational Rights and Privacy Act. In California, the Student Online Personal Information Protection Act protects data for K–12 students. Lawmakers in the state are also actively considering additional data protections.

The state has grappled with previous compromises of school data. Los Angeles Unified School District has faced a series of class-action lawsuits related to data privacy breaches. Most recently, the district disclosed last year that a telehealth vendor it worked with experienced a breach.

Chanenson points out that schools are prime targets for hackers since they hold immensely sensitive data but often lack the technical prowess of other large institutions, like banks.

“They’re happening with enough of a frequency that it’s more of a when, not an if,” he said.

CalMatters reporter Adam Echelman contributed to this story.

This article was originally published on CalMatters and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

The Los Angeles City Council decided Tuesday to put off the full effects of a major new state housing law by allowing low-rise apartment buildings in some neighborhoods where such housing has long been banned.

All council members voted in favor of those plans except for Traci Park, who was absent from the meeting.

California’s Senate Bill 79 is set to take effect July 1. The law overrides local limits on housing development by allowing apartment buildings between five and nine stories tall near train stations and rapid bus stops.

However, cities are allowed to postpone those changes until 2030 by developing their own incremental plans for more housing. L.A. elected leaders have chosen to delay. They’re doing so through the city’s new Low-Rise Ordinance, which aims to allow buildings up to four stories tall in 57 neighborhoods near transit lines.

Why it matters

L.A. lawmakers have tried many approaches to bring down L.A.’s high rents. But they have consistently voted to stop apartment developers from encroaching on the nearly three-quarters of city residential land reserved for single-family homes.

Pushed by state lawmakers, city leaders are now having to accept some changes in single-family neighborhoods located near public transit lines.

The reaction

Some local officials and homeowners have expressed frustration over new state limits on their ability to stop development in low-density zones. But advocates for more development said the council’s decision will help address high rents by allowing more housing in areas that have long been off-limits to new apartments.

“The City Council voted to open up high-resource single-family neighborhoods near transit stations,” said Scott Epstein, policy director with Abundant Housing L.A. “This reform is long overdue and will help build a future where Angelenos of all incomes can find homes in the neighborhoods of their choice.”

Where will the projects be allowed?

Officials with the city’s planning department said residents can see whether Low-Rise Ordinance projects will be allowed in their neighborhood by clicking on this interactive map and making two selections from the “layer list” menu: “Opportunity Station Sites Eligible for Low Rise” and “Sites Eligible for Low Rise Outside of Opportunity Station.”

The map shows that some of the areas eligible for new apartment buildings under this plan include Westside neighborhoods within a half-mile of the E Line’s Westwood/Rancho Park station, pockets of the San Fernando Valley near G Line stops, and parts of Eagle Rock along Colorado Boulevard’s planned North Hollywood to Pasadena rapid bus line.

Is this a done deal?

Both plans — the decision to delay full SB 79 implementation, and the new Low-Rise Ordinance — now go to Mayor Karen Bass for final approval. Council members are also considering some tweaks they say would help Low-Rise Ordinance projects get built.

Those changes would include letting developers build denser projects if they reserve more units for low-income renters, as well as rules that would let developers build ground-level parking instead of costlier underground parking. The council’s planning committee voted Tuesday to forward those suggestions to the full City Council for further debate.

There’s a new tool to fight illegal fireworks this Fourth of July: drones.

“A drone’s real-time aerial view can help officers assess situations faster, improve safety, support faster response times and ensure the right resources are sent where they’re needed most,” the Anaheim Police Department stated in an Instagram post.

Anaheim's department is the latest law enforcement agency using the technology to quickly identify illegal fireworks use. The Downey City Council is expected to vote Tuesday night on potential new fines and new rules that would allow local law enforcement to use drones to patrol neighborhoods for illegal fireworks usage.

How it works

Here's how the tech is put to use: Seconds after authorities receive a call reporting illegal fireworks activity, drones can take to the air, hovering above neighborhoods and businesses to find a specific location and an offender. The surveillance devices are equipped with night vision and zoom lenses that allow first responders to record high definition videos right from their Real Time Crime Center at the station.

Then, officers can determine whether to send out a patrol car or issue a citation for the incident.

Why it matters

The city’s drone usage comes as law enforcement agencies across Southern California brace for the annual flood of complaints about illegal firework use at this time of the year. Drones make the most effective use of time and resources, experts say.

“We'll typically see about 2,000 calls and about 300 related to fireworks,” Anaheim’s chief communications officer Mike Lyster explained about the Fourth of July. “It really is a better use of resources on what is always a very, very busy holiday for us.”

Drones allow officials to collect enough evidence to issue these citations. In Anaheim, the punishment starts at $1,000 and climbs to $3,000 by the third offense. But authorities say the goal is to curb illegal fireworks use altogether due to the risk of injury and wildfires.

Lyster hopes that people will think twice about using illegal fireworks this holiday — not just because of the fines — but because of its negative impact on local communities.

“The Palisades fire was ultimately started by illegal fireworks, and sadly, not in our city, but in our neighboring city, a young Anaheim girl died in an illegal fireworks incident last year,” Lyster said.

Where are drones already in use?

More cities are testing this method in order to crack down on illegal firework use. Sacramento, San Bernardino and Riverside are just a few of the other areas that have adopted this technology in recent years.

How do I know what's legal?

If you have any questions about what is legal or not in your community, a quick Google search can help.

Each county goes by different regulations for the types of fireworks you can use — if at all.

For example, parts of Anaheim allow “safe and sane” fireworks to be used only on the Fourth of July between 10 a.m and 10 p.m. This includes non-explosive, non-aerial devices like fountains, sparklers and smoke balls. State-approved fireworks will have a State Fire Marshal seal.

LAist staffer Anjanette Gile also contributed to this report.

The story first appeared on The LA Local.

Your neighborhood has a reporter. Have you met them yet?

On Saturday, coffee shops across L.A. are turning into places where you can tell a journalist exactly what’s been bugging you about your block … while drinking amazing coffee.

From Boyle Heights to Silver Lake to Inglewood to Long Beach, local reporters will be set up at neighborhood coffee shops from from 10 a.m. to 3 p.m. — to hear what’s on your mind. Got a tip about a pothole that’s been eating tires for years? A landlord the city keeps ignoring? A community hero nobody’s written about? We want to hear it all!

It’s part of Local News Day LA, a pop-up series organized by The LA Local that connects you with your local reporter and give you a chance to become the source instead of just the reader.

LAist has been meeting community members in person through LAist Listens tabling events by popping up at local businesses.

See below for the full list of participating media outlets and coffee shops — The LA Local and our media partners hope you’ll join us:

LAist will be joining The LA Local and other local media partners for Local News Day LA on June 27.

(

The LA Local

)

Where to find a journalist

1. The LA Local – Koreatown, Pico Union, Westlake will be hosted by Open Market
2. The LA Local – Inglewood and South LA will be hosted by Asteroid Vinyl Cafe
3. Boyle Heights Beat will be hosted by Picaresca Cafe
4. CalMatters will be hosted by Yia Caffe 
5. Calo News will be hosted by Cruzita’s Deli and Cafe
6. The Eastsider will be hosted by Rosebud Coffee (Highland Park location)
7. LAist will be hosted by Cafe Calle
8. Los Angeles Radio Collective will be hosted by Spoke Bicycle Cafe
9. LA Sentinel will be hosted by Patria Coffee
10. LA Taco will be hosted by Cafecito Organico (Silverlake location)
11. LA Public Press will be hosted by Holy Grounds Coffee & Tea
12. Long Beach Post will be hosted by Wrigley Coffee
13. Q Voice News will be hosted by Hot Java
14. USC Annenberg Media will be hosted by South LA Cafe (Western location)

Come enjoy a cup of coffee (or tea) with us while supplies last. 

A coalition of 17 states and a trade association representing U.S. wholesalers and distributors have sued California to block the enforcement of a stringent recycling law that aims to reduce plastic packaging waste.

The lawsuit, filed Monday in federal court, argues that California’s recently finalized regulations that will gradually require companies to scale back single-use plastics and ensure all packaging is recycling or compostable should be struck down. The plaintiffs called the regulations “onerous mandates” that will cause steep price increases in everyday necessities that will be passed on, at least in part, to consumers.

“Once again, California is trying to enact a policy that negatively impacts the rest of the country. If California goes unchecked, consumers will be forced to pay more for basic necessities,” Nebraska Attorney General Mike Hilgers, who led the coalition, said in a news release.

The law, called the Plastic Pollution Prevention and Packaging Producer Responsibility Act, was enacted in 2022.

“Virtually every product packaged or shipped in plastic containers, as well as a significant number of other types of packaging materials that merely incorporate plastics, fall into the Act’s remarkable sweep,” the lawsuit said.

The National Association of Wholesaler-Distributors, which represents companies that import and distribute goods in California, also joined the lawsuit.

“California is not entitled to pronounce nationwide policies,” Eric Hoplin, the trade association’s president and CEO, said in a statement. “Because the Act extends California’s regulatory reach far beyond its borders and brings within its sweep conduct wholly unconnected to California, the Act violates principles of federalism, the horizontal separation of powers, and due process.”

The lawsuit argues the law violates both the U.S. and California constitutions. It asks the court to declare California’s law invalid and unenforceable, and halt its implementation.

The lawsuit names as defendants Zoe Heller, director of California’s recycling agency known as CalRecycle, and the Circular Action Alliance, a nonprofit involved with implementing the law.

Melanie Turner, a spokesperson for CalRecycle, said in an emailed statement that the agency does not comment on pending litigation and that it remained focused on implementing the law.

The alliance said in a statement that it was aware of the lawsuit and closely monitoring developments while at the same time working to implement the law’s “ambitious goals.”

In a May news release announcing regulations under the law, state officials said the changes would fight plastics pollution while protecting the interests of taxpayers and local governments.

“California is shifting the responsibility of managing single-use plastic and packaging onto the producers. New packaging reforms lower waste costs for communities and decrease garbage and pollution across the state,” Environmental Protection Secretary Yana Garcia said in a statement. “This approach pushes producers to innovate and design packaging that truly supports a circular economy.”

Joining Nebraska in the lawsuit were 16 other states with Republican attorneys general: Alabama, Florida, Georgia, Idaho, Indiana, Iowa, Louisiana, Missouri, Montana, North Dakota, Oklahoma, South Carolina, South Dakota, Texas, Utah and West Virginia.Environmental groups also have sued over the law. A coalition that included the Natural Resources Defense Council recently filed a complaint over what it said in a news release were “weakened” final regulations for the “landmark” law.