The Brief

Esther Mejia and Kelly Merchant had a question Friday afternoon for their professors: Where were you?

The UC Riverside public policy students were among the likely hundreds of thousands in California who lost access to the all-important academic software Canvas when it was brought down by a hacker group Thursday afternoon. Losing Canvas meant losing assignments, tests, and required reading material along with a way to communicate with instructors. The timing was especially bad for UC students, who were hunkering down for midterms or finals.

“This is a very crucial time for students to be able to access their coursework. So I definitely do think that professors should reach out,” Mejia said in an interview. “And they did not.”

Merchant heard from only one professor by Friday who addressed the downed website. She learned about the hack attack on the social media site Reddit after she was logged out of her account while finishing an assignment.

The Riverside students’ experience underscores just how central Canvas has become to higher education in California — the outage likely affected more than 1 million of the state’s university students. The hack has raised serious questions about how schools should be vetting and balancing their use of online platforms, to what extent they may be held liable for breaches, and what role policymakers should play in protecting student data and regulating edtech.

By Monday evening, the company behind Canvas had told customers, including the University of California, that it had struck an agreement with the hacking group. In an email shared with CalMatters by UC's systemwide Office of the President, the company's CEO stated that “we reached an agreement with the unauthorized actor involved in this incident” that returns data and assures it is no longer held by the attacker nor any other outside parties. Further, “we have been informed that no Instructure customers will be extorted.”

CalMatters asked the company, Instructure, if it paid a ransom, but did not immediately hear back.

The attack seems to have begun on or around April 29, when Instructure “detected unusual activity,” according to a class-action suit filed in a Texas federal court. The attack exploited a vulnerability in Canvas’s free tool for teachers.

On May 4, some Cal State campuses experienced a brief shutdown but were operational within 20 to 30 minutes, the university system said.

By May 7, Thursday, the platform was offline. The University of California system blocked access to Canvas the same day, and wrote on its website that it won’t “be restored until we are confident the system is secure. We understand this disruption is concerning.”

The hackers, a group calling itself ShinyHunters, claimed to have obtained sensitive data, including billions of messages, and threatened to release the data if they weren’t paid a ransom. The CEO of Instructure has said that core “learning data (course content, submissions, credentials) was not compromised” and Cal State has said that Canvas does not store social security numbers.

On the evening of May 7, one of Merchant’s professors, she said, shared the material students needed to complete an assignment due Friday. The professor did so using a Discord group they created for the class at the beginning of the term. Merchant appreciated the initiative, but observed that not every student checks Discord as regularly as they would their email account.

By May 9, Saturday, UC Riverside mostly restored access to the platform, with other universities coming online in the following days. Mejia had a quiz and assignment due Monday at 2 p.m. She received a note from the professor of that class only at 9 a.m. that day through Canvas, she said. The professor granted a two-day extension.

Merchant wants more professors with a communication back-up plan, especially since Canvas has been down before. “Whether it’s a cybersecurity thing or routine Canvas maintenance, it’s going to continue to be a risk. And we have to prepare for it.”

“These situations are fluid and campuses and UCOP communicated as quickly and completely as feasible,” said UC Office of the President spokesperson Stett Holbrook.

For many colleges and high schools, Canvas has become indispensable, with teachers using it to give quizzes, message students, post grades, and more.

Almost 9,000 colleges, K-12 schools and school districts, and offices of education around the world were reportedly affected by the Canvas outage, according to the hacker group and other media, along with likely millions of students and teachers. California seemed to be hit especially hard. The institutions relying on the system and affected by the cyberattack included Stanford, at least some campuses at the University of California, USC, all 22 California State University campuses and all 116 of the state’s community colleges.

The number of students ultimately affected by the breach could be staggering. The Cal State system alone enrolls more than 400,000 students. The UC system, where hackers claimed to hit six of 10 campuses, enrolls about 300,000. The hacker group listed the Los Angeles Unified and Fresno Unified school districts as among their targets — they too enroll more than 400,000 students combined.

Deputy chancellor of the LA Community College District, Nicole Albo-Lopez, told CalMatters that Canvas was being used by students in thousands of courses, including as a “repository for gradebooks, sharing of course materials, and messaging.” The district is among the largest community college districts in the country, with nearly 200,000 students annually.

Canvas, she said Friday, still hadn’t informed them of what’s been exposed in the hack. “We’re supposed to receive specific information about what was accessed in our specific system, but we have not received that yet,” she said.

‘Eggs in one basket’

One expert said the incident highlights the problem of relying on “all-in” solutions for online education tools.

The attraction of software like Canvas is that it allows institutions without technical expertise to easily manage everything on a single platform. But the hack shows the danger of relying on such centralized systems, where a breach of one company exposes the data of the countless institutions that rely on it.

“The beauty of these software as a service systems and what they sell is, ‘Hey, your staff members don't need to run this, we'll just handle it,’” said Jake Chanenson, an education technology researcher and PhD student at the University of Chicago.

In the best case, those companies have diligent cybersecurity teams protecting student data.

Many schools without tech departments, by contrast, may only be equipped to give any new tools “a cursory, at best, privacy and security assessment,” Chanenson said. Small schools, especially, may then struggle to recover from a breach or outage.

But a centralized system also means that only a single point needs to be hacked for every school that uses the software to be affected.

Chanenson, who is currently researching “critical infrastructure" in schools, said that “when you put all your eggs in one basket across schools, it makes these targets very attractive.”

One state lawmaker wants a legislative audit into California's heavy reliance on Canvas. “The Canvas breach exposes the growing risks of concentrating massive amounts of student records, academic systems and institutional operations into a single platform," said Sen. Melissa Hurtado, a Democrat from Bakersfield, in a written statement.

What now?

It may be too early to identify the consequences of the hack for schools and for Canvas. It’s still not clear, for example, how the breach happened, or the full extent of data that was compromised.

At minimum, schools will want to reassess how much information they’re willing to give over to third-party software companies in the name of efficiency. Those companies, Chanenson said, should also take a look at their policies around data collection and retention to minimize how much sensitive information they store.

“You think in your head that any data set that you have has a non-zero probability of being leaked or breached or some sort of privacy loss, then you want to start thinking about things like data minimization,” he said.

Past data breaches have led to legal consequences for the companies and institutions involved, including action by state attorneys general. There are federal legal protections for data belonging to children under 13, through the Children's Online Privacy Protection Act, as well to students, under the Family Educational Rights and Privacy Act. In California, the Student Online Personal Information Protection Act protects data for K–12 students. Lawmakers in the state are also actively considering additional data protections.

The state has grappled with previous compromises of school data. Los Angeles Unified School District has faced a series of class-action lawsuits related to data privacy breaches. Most recently, the district disclosed last year that a telehealth vendor it worked with experienced a breach.

Chanenson points out that schools are prime targets for hackers since they hold immensely sensitive data but often lack the technical prowess of other large institutions, like banks.

“They’re happening with enough of a frequency that it’s more of a when, not an if,” he said.

CalMatters reporter Adam Echelman contributed to this story.

This article was originally published on CalMatters and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

California voters will advance two candidates for governor to the November election in the most unsettled gubernatorial race in recent memory, concluding a long and winding primary campaign in which Democrats struggled to pick a new leader for the nation’s most populous blue state.

The decision comes at a particularly consequential time for California. Residents face a crushing cost of living, nation-topping gas prices made worse by the war in Iran, wildfire risks that have driven insurance companies out of state, an unstable state budget, impending federal cuts to the state’s expansive health system and an economy dampened by immigration enforcement.

Democratic former state Attorney General Xavier Becerra, who has promised to fight Trump and freeze insurance and utility rates, is the leading Democrat in opinion polls and is favored by much of the state’s Democratic establishment. He appeared in contention to secure one of the top two spots for November heading into Election Day.

Republican Steve Hilton, a Donald Trump-endorsed former Fox News host who has vowed to cut income taxes and slash environmental regulations, was polling in second place ahead of Election Day, having consolidated support from many of the state’s conservatives.

But billionaire climate activist Tom Steyer, a progressive Democrat who has self-funded his campaign to the tune of $213 million, was still fighting for one of the top spots. A series of polls released in the final days of the race showed Becerra in the lead with roughly a quarter of likely voters’ support, and Steyer and Hilton locked in a tight battle for second.

Votes could take days or weeks to tally. Pollsters and strategists noted that lingering Democratic uncertainty led some voters to wait so they could back whoever appears to be ahead.

“Those polls could become self-fulfilling,” said Paul Mitchell, a Democratic strategist whose company tracks ballot return data.

The race to succeed Gov. Gavin Newsom, who will leave office at the end of the year due to term limits, is the marquee contest on the ballot Tuesday. The seat is considered a shoo-in in November for Democrats, who have nearly twice as many registered voters as Republicans, and holds national importance for the Democratic Party’s pushback to the Trump administration.

It’s also been one of the most unusually open races in recent state history.

No Democratic stars in the race

In contrast to decades of California politics dominated by movie stars, family dynasties and larger-than-life personalities, none of the most recognizable Democratic names jumped into the race.

That led to a crowded field on the left, briefly causing liberals to panic that Hilton and a fellow Republican, the bombastic Riverside County Sheriff Chad Bianco, could each garner more votes than any Democrat, locking the party out of the general election. The state Democratic Party began a public pressure campaign asking lower-polling candidates to drop out. Nearly all stayed in the race.

But when Democratic then-Rep. Eric Swalwell dropped out over multiple sexual assault allegations, Becerra was the clear beneficiary, raking in many of Swalwell’s donors and supporters. He’s been surging ever since, successfully dodging criticism of his record. Steyer, who spent $200 million boosting his name recognition through campaign ads, consolidated much of the party’s left flank. Former Rep. Katie Porter, a progressive dogged by allegations about her temperament, fell behind. San Jose Mayor Matt Mahan, a moderate backed by Silicon Valley billionaires, rose from single digits in the polls, but not enough.

Trump’s endorsement of Hilton quickly helped him pull away from Bianco, making it unlikely both Republicans would come in first and second. If Hilton advances to the November election, he faces long odds of being elected against a Democrat.

Both he and Steyer have spent the final weeks of the campaign portraying Becerra as a symbol of the status quo and themselves as agents of systemic change amid multiple state crises, with affordability dominating the race.

For Hilton, that would mean ending 16 years of “one-party rule” under Democrats, slashing spending and reversing many liberal policies such as greenhouse gas reduction mandates, the progressive tax system and parts of the social safety net.

“After 16 years of everything being in one direction, that’s left a lot of people dissatisfied,” he said last week. “Anybody who wants change or balance in our politics, the only choice is for me.”

His name recognition as a former Fox host helped him start the race with a fan base. Nancy LeVesque, a retired salesperson from Roseville, already admired him and said he was an easy choice as she dropped off her ballot at a Placer County vote center on Monday. She liked that he would bring an outsider’s perspective to the governor’s office and a change for those leaving California because of its liberal politics.

“We have lost so many good people,” to other states, she said.

Steyer styled himself as a populist “class traitor” who would force lower costs for Californians by taking on monied special interests like investor-owned utilities, the real estate industry and health insurance corporations. He made a litany of progressive promises on climate change, single-payer health care and raising taxes on the wealthy.

Undecided voter Tina Varnado attended a rally last week for Steyer hosted by her union, which represents home health aides. The South Sacramento resident is a full-time caretaker for her elderly mother and her adult daughter who had open-heart surgery. Between her mother’s social security checks and her pay as her daughter’s health aide, “we do have to spend everything we have every single month” to stay afloat, she said.

“Everything he touched on really touched home for me,” she said after hearing Steyer speak. “If we can lower prices, maybe we can start putting money down on a home for my future.”

Becerra has emphasized his long experience in government, including his lawsuits against the first Trump administration and his time as U.S. Health and Human Services secretary during the pandemic.

That appealed to Evan Cragin, of the California Young Democrats, which endorsed Becerra weeks before his sudden surge. Cragin said he wants the next governor to have government experience to push back on federal “abuses” from the Trump administration.

“Secretary Becerra has done that before,” Cragin said.

Surrounded by supporters at the offices of Planned Parenthood Affiliates of California on Monday, Becerra dismissed his opponents’ promises, pointing to past accomplishments including passing the Affordable Care Act and defending the Deferred Action for Childhood Arrivals immigration program.

“You can have all these great inflated promises,” he said. “Getting things done is not easy.”

Ryan Sabalow contributed reporting.

This article was originally published on CalMatters and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

May gray has come and gone, and now it's time for June gloom.

Overcast skies will be present this morning, especially along the beaches and valleys closest to the coast. Otherwise, we're in for a partly cloudy afternoon.

Today's temperatures at L.A. County beaches will stay around 66 to 71 degrees, and reach 76 to 80 degrees for places more inland.

In Orange County, expect similar temperatures with highs from 67 to 74 degrees for Huntington Beach and surrounding areas. More inland areas like Anaheim and Garden Grove will see temperatures of up to 79 degrees.

Moving on to L.A. County valleys, expect high temperatures in the low to mid 80s.

In the Inland Empire, temperatures will range 80 to 89 degrees.

Election Day is here, but now comes the waiting.

Do you have something to watch on Netflix? Maybe you've been meaning to pick up a hobby — how about crochet? Whatever you do, take a deep breath and keep busy because it could be days (or weeks) before we get some California election results.

The state is often knocked by the rest of the country as being "slow" to count votes. But here's the deal: that's a feature, not a bug, of the election system.

The backstory

Things take a while here largely because California works so hard to expand the ways people can vote. For example:

• Californians in recent years overwhelmingly vote by mail — nearly 90% of votes cast in the 2024 presidential election were mail-in ballots. In that same year's primary the percentage was just as high. Those ballots can be postmarked up to and including Election Day. They're counted as long as the ballot arrives within seven days (for the June primary, that's June 9).
• California offers same-day voter registration at any voting center. These new voters must cast a provisional ballot, which is counted once election officials confirm their eligibility (they are overwhelmingly accepted — for example, Los Angeles County reports that historically between 85% to 90% have been counted.
• Voters also have the right to cast provisional ballots if there's any problem on election day — like if poll workers aren't able to void an outstanding mail-in ballot, or if there’s any issue calling up voter information from e-pollbooks. Again (see above), provisionals take longer to process because eligibility has to be confirmed.
• Vote-by-mail ballots require signature matching. When the one received doesn't match the one on file, county registrars must contact that voter to let them know — and give them the chance to correct it.
• And, with more than 23 million registered voters, we're really, really big. In the 2024 general election more than 16 million Californians voted (down from nearly 18 million in the 2020 presidential election). Either way, that’s more people than the total populations of all but three other states.

Why things have sped up, some

But things have sped up considerably in the 30 counties that have adopted a 2016 law called the Voter's Choice Act, including L.A., Orange and Riverside counties. In recent elections, the changes associated with that law — like voters not being locked into a designated polling location — drastically cut down the number of provisional ballots cast, which helped move things along faster than they had before.

A closer look at ballot counting times in California where an increasing number of vote-by-mail ballots has slowed ballot counts.

(

Courtesy California Voter Foundation

)

Still, accuracy and a commitment to "expanding the franchise" — translation: allowing more people to vote — means the process is not designed to produce instantaneous results.

Why you should take a deep breath Election Night

You'll have to get that endorphin hit elsewhere on June 2.

A few things to keep in mind: You may recall that during the 2024 primary, it took about a week to call the results for L.A. City Council races in District 4, where incumbent Nithya Raman was fighting to avoid a runoff election, and District 14, where challenger Ysabel Jurado wound up overtaking incumbent Kevin de León by just a few hundred votes.

It took an even longer 15 days to call the results of Prop. 1, during which opponents conceded, walked back that concession, and conceded again when the measure won by a razor-thin 0.4% margin. And it took 23 days to call the second-place winner for Orange County's 45th congressional district — it ultimately went to Democrat Derek Tran who went on to beat Republican Michelle Steel in the general election. Tran is now up for reelection and rematch with Steel is considered likely in November.

Depending on how close some of these races end up being, we may face similar waits this election cycle.

TL;DR: Officially, county and state election officials have until July 10 to certify election results — including a mandatory audit that requires hand-counting all of the ballots at 1% of precincts. Nevertheless, you're going to see a lot of national media headlines about California's relative "slowness." Brush it off. We have sunshine, beaches, and a highly enfranchised population.