A massive cyberattack targeting a widely used education system is affecting millions of students and teachers across the country.
A hacker group called “ShinyHunters” on Thursday claimed it breached Instructure, the parent company behind the learning management system Canvas, and threatened to release stolen data unless the schools and universities pay a ransom by next Tuesday May 12.
“Instead of contacting us, to resolve it, they ignored us and did some ‘security patches,’” the group wrote in the note that was sent to multiple schools.
The breach has impacted colleges and K-12 schools across the country, including the University of North Carolina - Chapel Hill, the University of Pennsylvania, the University of Illinois, the University of Oklahoma and other major institutions that depend on Canvas for daily operations.
Canvas is one of the nation’s largest web-based learning management systems, used by thousands of schools and millions of students and educators for coursework, assignments, messaging and classroom communication, according to the Instructure website.
Luke Connolly, a threat analyst at the cybersecurity firm Emisoft, said the hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed.
Screen shots he provided showed that the group began threatening Sunday to leak the trove of data, giving deadlines of Thursday and next Tuesday May 12. Connolly said the later date indicates that discussions regarding extortion payments may be ongoing.
Earlier this week, the Wake County Public School System in North Carolina said Instructure notified the district of the breach but could not yet confirm what information may have been accessed, WRAL reported. The district temporarily disabled Canvas on Thursday.
Duke University Chief Information Security Officer Nick Tripp told WRAL the university is monitoring the situation and said Instructure reported there was “no indication that passwords, dates of birth, government identifiers or financial information were involved.”
Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets.
Past attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District.
