For many who have observed over the past fifteen years as higher education gradually shifts every aspect of academic life onto a small number of software platforms, the Instructure hack was the dreaded continuation of a long-standing discussion. Universities don’t use Canvas as a tool. It is becoming more and more the actual location of the university. lectures and homework. Assign grades to submissions. messages during office hours. The night before a final, at 11:47 p.m., TAs receive quiet panic texts. The terror was real when 8,800 institutions found out nearly simultaneously that ShinyHunters had affected all of that. It involved examining a syllabus that had been stored on a system that was inaccessible for three days.
Technically speaking, the most secure portion of Instructure’s infrastructure was not breached. The “Free-For-Teacher” tier, a free version of Canvas intended for individual teachers to test out the platform, was the back door. That tier’s user base was sufficiently dispersed to allow anomalies to pass through, and it had laxer authentication criteria and less stringent monitoring. In late April, the attackers gained access, and over the course of several days, they extracted enough data to pose a threat of a 3.65-terabyte breach by early May. Since then, Instructure has completely discontinued the free tier, which speaks to the company’s confidence in its analysis of the cause of the breakdown.
In its public pronouncements, Instructure has emphasized that the hacked data did not contain passwords, financial information, or government identification. In some respects, the information that did leak—usernames, email addresses, course enrollment records, and internal platform messages—is more worrisome. These serve as the foundation for extremely focused phishing efforts. A con artist may create a fraud effort that hardly resembles the awkward “Nigerian prince” emails from ten years ago if they knew that a sophomore at a certain university was enrolled in a particular organic chemistry course and that they messaged a specific TA in late April. There’s a sense that this breach’s second wave of destruction hasn’t even started yet.
The timing, however, was what made the episode a national story. The planned rhythm of the defacements and login portal takeovers during final exam season revealed that ShinyHunters had a thorough understanding of the academic calendar and knew just when leverage would surge. Canvas had to be disabled at the worst possible time by universities, including all of the Ivy League. Exams were pushed to paper by some. Some grading was postponed.
Two years ago, IT departments would have been appalled by a few people’s covert improvisations on Google Drive and email, but that’s exactly what happens now. In order to avoid the leak deadline, Instructure paid an undisclosed ransom and claimed to have received digital confirmation that the data had been erased. Federal authorities and cybersecurity specialists were unimpressed.
The ransom might have been the most sensible course of action. It’s also feasible that the industry didn’t require the precedent. ShinyHunters received compensation. Other organizations are now aware that an ed-tech supplier with thousands of institutional customers may be coerced into making a payment during a crucial period. Numerous class-action lawsuits have already been filed, and the response is being reviewed by the Department of Education and the Department of Homeland Security. Although Instructure has a considerable legal risk, higher education as a whole is more vulnerable since this industry has spent the last 20 years consolidating its data into a small number of vendors without fully considering the implications of that concentration.
The larger pattern is difficult to ignore. City governments, hospitals, and school districts have all been here. The lesson continues to come in and is gradually assimilated. Universities are now being advised to implement multi-factor authentication, examine their Canvas API integrations, and prepare for the impending phishing onslaught. Some people will. Until something compels them, some won’t. It’s still really unclear if this breach will be the catalyst for higher education to reconsider its reliance on a small number of platforms or if it will just be another bad week that will be brought up in a future event. However, those students who took paper final examinations this year are probably going to recall.
