The developer of Canvas, widely used by U.S. institutions for grades and class materials, issued an apology after a hack that blocked students from accessing the education tool and involved student data being stolen by a cybercriminal hacking group.
"I'll start where I should: with an apology," Steve Daly, the CEO of Canvas' parent company Instructure, said in a blog post on Monday.
ShinyHunters, a hacking group known for data theft and extortion campaigns targeting major global companies, said in a May 3 post on its website that it had stolen roughly 6.65 terabytes of Canvas data.
The data, linked to nearly 9,000 schools worldwide, included student names, email addresses and private messages between students, teachers, and other staff, the group added.
Student newspapers across the United States reported last week the hack caused widespread disruption as students prepared for end-of-year tasks and assignments.
The software is used by schools for class assignments and information sharing, as well as messaging between students and school faculty.
The Instructure CEO said Canvas "is fully operational and remains safe to use."
"Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that," Daly said.
He added the company will give more consistent updates going forward. Daly said the incident involved unauthorized access to information like usernames, email addresses, course names, enrollment information and messages.
Core learning data like course content, submissions and credentials was not compromised, he said. He said the company had identified a vulnerability regarding support tickets in the app's "Free for Teacher" environment that was exploited. That component of the app has been temporarily disabled while the company completes a full security review, Daly added.
