Canvas Cyberattack Impacts Santa Barbara Schools 

Thousands of schools were victimized on Thursday by an international cyberattack on Canvas, a learning platform used for course websites, assignments, and communication — targeting the personal data of millions of students and teachers. Among them are local K-12 districts and colleges, including Santa Barbara City College. 

It’s quite the disruption for students, many of whom are in the midst of preparing for or taking their final exams as summer approaches. 

SBCC announced Canvas was shut down by Instructure, Canvas’s parent company, at approximately 1:30 p.m. Thursday due to the data breach. Shortly after, “out of an abundance of caution,” the college disconnected its local access.

On Thursday evening, after shutting down for several hours, Instructure said the software was online again and available for most users. However, as of Friday at 11 a.m., SBCC was still waiting for clearance from the California Community Colleges Chancellor’s Office to move forward with reconnecting their local access to Canvas.  

According to a statement from California Community Colleges’ Executive in Residence for Strategic Technology Initiatives Jory Hadsell, on Friday afternoon, Canvas was coming back online across the California Community Colleges system, through a “careful, phased approach” to protect systems and user information. Hadsell advised campus communities to remain alert to potential phishing or scam attempts, including being cautious of “unexpected emails” or messages asking for personal information or including suspicious links or attachments.

Meanwhile, SBCC is advising students to avoid accessing Canvas and to log out of all instances of Canvas, both mobile and desktop, until the issue is resolved. Exams across campus on Friday were canceled.

Instructure said the attackers — hacking group ShinyHunters, which took responsibility for the data breach in a message displayed on students’ Canvas accounts on Thursday — accessed basic identity data and platform content. That includes: full names, email addresses, student ID numbers, private messages, and in some limited cases, course and enrollment information or metadata and occasional phone numbers.

“We understand how inconvenient this situation is, given we are at the end of the semester,” the college said in a message to staff on Thursday. “We will continue to update the campus as this situation progresses.”

Other schools allegedly impacted by the attack include schools in the Santa Barbara Unified School District and the Santa Maria Joint Union School District, according to the ShinyHunters data leak site. 

“This was a corporate-level incident at Instructure and was not a breach of Santa Barbara Unified’s internal systems,” said Public Information Officer Ed Zuchelli. “While the platform is now fully operational and secured by Instructure’s security teams, we continue to monitor the situation closely.”

Similarly, Santa Maria Joint Union School District’s public information officer, Kenneth Klein, said, “At this time, we have not been notified by Instructure that our district had any data compromised.”

The attack also affected schools across the University of California system, including UC Santa Barbara. All UC locations were instructed by the UC Office of the President “to temporarily block or redirect Canvas access, and Canvas access will not be restored until we are confident the system is secure.” According to UCSB’s Canvas webpage, as of Friday afternoon, Canvas was still unavailable for UC campuses. “We apologize for this inconvenience and will provide updates to the campus as soon as they are available,” it says. 

Thursday’s incident was tied to a previous cyberattack on Instructure on April 29 by ShinyHunters, which claimed in a May 3 ransom letter that it had accessed data from more than 275 million people across nearly 9,000 schools. 

Instructure said it did not find evidence that passwords, birthdays, government identifiers, or financial information had been breached. The breach was “contained” as of May 2, according to a statement from Instructure’s chief information security officer Steve Proud. 

But ShinyHunters on Thursday claimed that it was able to breach Instructure “again” after the company failed to contact them to resolve the breach. ShinyHunters threatened in its message to leak an unspecified amount of data on May 12 if it didn’t hear from Instructure, including “several billions of private messages among students and teachers.”’ 

The group also encouraged affected institutions to consult with cybersecurity experts and reach out “to negotiate a settlement,” but it was unclear on Friday whether the hackers reached out directly to any Santa Barbara school districts or colleges. 

“Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards,” Instructure said in an update on its website on Thursday. 

The company has since confirmed that the “unauthorized actor” carried out the activity by exploiting an issue related to its “Free-for-Teachers” accounts. 

“This is the same issue that led to the unauthorized access the prior week,” it said. “As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we’re committed to resolving the issues with these accounts.” 

The company said it also engaged a third-party forensic firm and notified law enforcement, alongside implementing other security measures.

“Canvas is fully back online and available for use,” it said. “Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform.”

---

---