
A ransomware attack on Instructure, the parent company of Canvas, occurred at 3:30 p.m. on May 7. The attack, conducted by a hacking group named ShinyHunters, left students and teachers unable to log in to their Canvas accounts for over six hours.
In a status update on May 11, Instructure reported that it had reached an agreement with the hackers, who have now returned the stolen data. In that agreement, Instructure received digital confirmation of data destruction (shred logs) and was informed that no Instructure customers will be extorted as a result of this incident.
Shiny, who prefers to remain anonymous, had stated that he was seeking payment by May 12 and was threatening to leak personal information, such as usernames, passwords, grades and in-app messages.
Co-conspirator Wavy, who also prefers to remain anonymous, notes that although high school districts were affected, “universities are the main [target].”
D219 Chief Technology Officer Phil Hintz sent a 9:20 p.m. email on May 7 notifying teachers and staff of the incident, and sent another email at 12:00 p.m. on May 8 to students and families directing them to an Instructure FAQ page for more information.
College freshman (Class of 2025) Khadija Khan was preparing for finals at University of Illinois Urbana-Champaign when she received a message that students should not attempt to access Canvas and that final exams would be postponed.
“Late on [May 7] they sent out an email postponing all finals that were scheduled on Friday, Saturday, and Sunday,” Khan said. “This caused a lot of confusion, and I was just scared they were going to postpone it to a day where I already had a final, and that would be really stressful for me as I was moving out on Friday too.”
It was a stressful few days for students who were trying to finish the semester and leave for the summer.
“I know an international student who already bought a plane ticket home for the weekend after they thought they would take their finals on Friday,” Khan said. “It was a non refundable ticket, so she had to leave without taking finals, and now has to email her professors to see what she could do.”
According to information released by Wavy, D219 was not affected by the breach. Nevertheless, West students were prevented from accessing Canvas. Senior Carly Krygowski was frustrated at not being able to access her work in progress.
“I was so furious,” Krygowski said. “I have final projects due for three of my classes and I couldn’t access any of them. All my grades were inaccessible, and I was super upset. With senior year coming to a close, there was a chance I wouldn’t be able to get full credit.”
Junior Daud Chaudhry was hoping that this incident would postpone final exams at West.
“I wish it’ll ease the pressure of finals and end-of-year assignments,” Chaudhry said.
In a statement on the Instructure site, CEO Steve Daly outlined new security measures and apologized to users.
“Rebuilding trust takes time,” Daly said. “We’re going to earn it back through consistent action and honest communication. We’re in this for you and your community.”
