California colleges went big on online learning tools. Then the worst happened

Esther Mejia and Kelly Merchant had a question Friday afternoon for their professors: Where were you?

The UC Riverside public policy students were among the likely hundreds of thousands in California who lost access to the all-important academic software Canvas when it was brought down by a hacker group Thursday afternoon. Losing Canvas meant losing assignments, tests, and required reading material along with a way to communicate with instructors. The timing was especially bad for UC students, who were hunkering down for midterms or finals.

“This is a very crucial time for students to be able to access their coursework. So I definitely do think that professors should reach out,” Mejia said in an interview. “And they did not.”

Merchant heard from only one professor by Friday who addressed the downed website. She learned about the hack attack on the social media site Reddit after she was logged out of her account while finishing an assignment.

The Riverside students’ experience underscores just how central Canvas has become to higher education in California — the outage likely affected more than 1 million of the state’s university students. The hack has raised serious questions about how schools should be vetting and balancing their use of online platforms, to what extent they may be held liable for breaches, and what role policymakers should play in protecting student data and regulating edtech.

By Monday evening, the company behind Canvas had told customers, including the University of California, that it had struck an agreement with the hacking group. In an email shared with CalMatters by UC's systemwide Office of the President, the company's CEO stated that “we reached an agreement with the unauthorized actor involved in this incident” that returns data and assures it is no longer held by the attacker nor any other outside parties. Further, “we have been informed that no Instructure customers will be extorted.”

CalMatters asked the company, Instructure, if it paid a ransom, but did not immediately hear back.

The attack seems to have begun on or around April 29, when Instructure “detected unusual activity,” according to a class-action suit filed in a Texas federal court. The attack exploited a vulnerability in Canvas’s free tool for teachers.

On May 4, some Cal State campuses experienced a brief shutdown but were operational within 20 to 30 minutes, the university system said.

By May 7, Thursday, the platform was offline. The University of California system blocked access to Canvas the same day, and wrote on its website that it won’t “be restored until we are confident the system is secure. We understand this disruption is concerning.”

The hackers, a group calling itself ShinyHunters, claimed to have obtained sensitive data, including billions of messages, and threatened to release the data if they weren’t paid a ransom. The CEO of Instructure has said that core “learning data (course content, submissions, credentials) was not compromised” and Cal State has said that Canvas does not store social security numbers.

On the evening of May 7, one of Merchant’s professors, she said, shared the material students needed to complete an assignment due Friday. The professor did so using a Discord group they created for the class at the beginning of the term. Merchant appreciated the initiative, but observed that not every student checks Discord as regularly as they would their email account.

By May 9, Saturday, UC Riverside mostly restored access to the platform, with other universities coming online in the following days. Mejia had a quiz and assignment due Monday at 2 p.m. She received a note from the professor of that class only at 9 a.m. that day through Canvas, she said. The professor granted a two-day extension.

Merchant wants more professors with a communication back-up plan, especially since Canvas has been down before. “Whether it’s a cybersecurity thing or routine Canvas maintenance, it’s going to continue to be a risk. And we have to prepare for it.”

“These situations are fluid and campuses and UCOP communicated as quickly and completely as feasible,” said UC Office of the President spokesperson Stett Holbrook.

For many colleges and high schools, Canvas has become indispensable, with teachers using it to give quizzes, message students, post grades, and more.

Almost 9,000 colleges, K-12 schools and school districts, and offices of education around the world were reportedly affected by the Canvas outage, according to the hacker group and other media, along with likely millions of students and teachers. California seemed to be hit especially hard. The institutions relying on the system and affected by the cyberattack included Stanford, at least some campuses at the University of California, USC, all 22 California State University campuses and all 116 of the state’s community colleges.

The number of students ultimately affected by the breach could be staggering. The Cal State system alone enrolls more than 400,000 students. The UC system, where hackers claimed to hit six of 10 campuses, enrolls about 300,000. The hacker group listed the Los Angeles Unified and Fresno Unified school districts as among their targets — they too enroll more than 400,000 students combined.

Deputy chancellor of the LA Community College District, Nicole Albo-Lopez, told CalMatters that Canvas was being used by students in thousands of courses, including as a “repository for gradebooks, sharing of course materials, and messaging.” The district is among the largest community college districts in the country, with nearly 200,000 students annually.

Canvas, she said Friday, still hadn’t informed them of what’s been exposed in the hack. “We’re supposed to receive specific information about what was accessed in our specific system, but we have not received that yet,” she said.

‘Eggs in one basket’

One expert said the incident highlights the problem of relying on “all-in” solutions for online education tools.

The attraction of software like Canvas is that it allows institutions without technical expertise to easily manage everything on a single platform. But the hack shows the danger of relying on such centralized systems, where a breach of one company exposes the data of the countless institutions that rely on it.

“The beauty of these software as a service systems and what they sell is, ‘Hey, your staff members don't need to run this, we'll just handle it,’” said Jake Chanenson, an education technology researcher and PhD student at the University of Chicago.

In the best case, those companies have diligent cybersecurity teams protecting student data.

Many schools without tech departments, by contrast, may only be equipped to give any new tools “a cursory, at best, privacy and security assessment,” Chanenson said. Small schools, especially, may then struggle to recover from a breach or outage.

But a centralized system also means that only a single point needs to be hacked for every school that uses the software to be affected.

Chanenson, who is currently researching “critical infrastructure" in schools, said that “when you put all your eggs in one basket across schools, it makes these targets very attractive.”

One state lawmaker wants a legislative audit into California's heavy reliance on Canvas. “The Canvas breach exposes the growing risks of concentrating massive amounts of student records, academic systems and institutional operations into a single platform," said Sen. Melissa Hurtado, a Democrat from Bakersfield, in a written statement.

What now?

It may be too early to identify the consequences of the hack for schools and for Canvas. It’s still not clear, for example, how the breach happened, or the full extent of data that was compromised.

At minimum, schools will want to reassess how much information they’re willing to give over to third-party software companies in the name of efficiency. Those companies, Chanenson said, should also take a look at their policies around data collection and retention to minimize how much sensitive information they store.

“You think in your head that any data set that you have has a non-zero probability of being leaked or breached or some sort of privacy loss, then you want to start thinking about things like data minimization,” he said.

Past data breaches have led to legal consequences for the companies and institutions involved, including action by state attorneys general. There are federal legal protections for data belonging to children under 13, through the Children's Online Privacy Protection Act, as well to students, under the Family Educational Rights and Privacy Act. In California, the Student Online Personal Information Protection Act protects data for K–12 students. Lawmakers in the state are also actively considering additional data protections.

The state has grappled with previous compromises of school data. Los Angeles Unified School District has faced a series of class-action lawsuits related to data privacy breaches. Most recently, the district disclosed last year that a telehealth vendor it worked with experienced a breach.

Chanenson points out that schools are prime targets for hackers since they hold immensely sensitive data but often lack the technical prowess of other large institutions, like banks.

“They’re happening with enough of a frequency that it’s more of a when, not an if,” he said.

CalMatters reporter Adam Echelman contributed to this story.

This article was originally published on CalMatters and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.