Santa Barbara Schools Back Online After Cyberattack

After an international cyberattack on the learning platform Canvas last week, local K-12 schools and institutions that use Canvas are back online. 

Instructure, the parent company of Canvas, shut down the platform on May 7 due to a data breach carried out by a “criminal threat actor.” Instructure reactivated the platform after a few hours, and it was available again for most users. However, colleges and universities, including Santa Barbara City College (SBCC) and UC Santa Barbara, disconnected their local access “out of an abundance of caution.”   

It led to cancelled exams across campuses last Friday and stress felt by both students and faculty, whose personal data was jeopardized by the attack. 

After Instructure resolved the issue, and with clearance from the California Community Colleges Chancellor’s Office, SBCC came back online that Friday afternoon. Later, on Monday, May 11, Canvas access was restored across all UC campuses. 

Both institutions took the opportunity to acknowledge the disruption to students and staff and remind them to practice good cybersecurity habits — including using strong passwords and being cautious of potential phishing attempts and suspicious communications. 

The Canvas hackers — a group called ShinyHunters, which took responsibility for the data breach in a message displayed on students’ Canvas accounts on Thursday — accessed basic identity data and platform content. That includes: full names, usernames, email addresses, course names, enrollment information, and messages. 

Last week’s incident was tied to a previous cyberattack on Instructure on April 29 by ShinyHunters, which claimed in a May 3 ransom letter that it had accessed data from more than 275 million people across nearly 9,000 schools. 

Although Instructure leadership said the breach was contained on May 2, the group was able to breach the platform “again” on May 7, after the company failed to contact them to resolve the breach. ShinyHunters threatened to release the data by May 12 if it did not hear from Instructure.

Instructure originally said it did not find evidence that passwords, birthdays, government identifiers, or financial information had been breached. However, in a later update on its website, that same assurance was missing. Instead, it said “Core learning data (course content, submissions, credentials) was not compromised. We’re still validating all findings, but we want to be clear about what we understand was and wasn’t affected.”

“Based on the investigation to date, we have not found evidence that [additional] data was taken during the May 7 activity,” the update said. “The investigation is ongoing, and we’ll share more as findings are verified.”

On May 11, Instructure released another update that it “reached an agreement with the unauthorized actor involved in this incident.” As part of the agreement, it continues, the compromised data was returned to Instructure, it received digital confirmation of data destruction (shred logs), and it was informed that no Instructure customers will be extorted as a result of the incident. 

“This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor,” it said. “We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved.”

In a recent letter to the “Instructure Community,” Steve Daly, the company’s CEO, apologized for the disruption and a lack of “more consistent communication” from the company. Daly said the company identified a “vulnerability” in its “Free for Teacher environment” that was exploited. In response, Instructure has temporarily disabled that program while it completes a full security review. He added that a full forensics report in collaboration with law enforcement is underway and a summary of that report will be shared “as soon as it’s ready.” 

In the meantime, he emphasized that “Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised.” He said that school districts and institutions will be given “clear guidance if any action is required” on their end. “Right now, there’s nothing you need to do,” he said.