California colleges have gone big on Canvas. Then the worst happened

Esther Mejia and Kelly Merchant had a question Friday afternoon for their teachers: Where have you been?

Public policy students at UC Riverside were among the likely hundreds of thousands across California who lost access to the all-important academic software Canvas when it was taken down by a hacking group Thursday afternoon. Losing Canvas meant losing assignments, tests, and required reading material along with a way to communicate with instructors. The timing was particularly bad for UC students who were waiting for midterms or finals.

“It’s a very important moment for students to have access to their coursework. So I definitely think professors need to reach out,” Mejia said in an interview. “And they didn’t.”

Merchant had heard from only one professor by Friday, who reached out to the taken-down website. She learned about the hack on the social media site Reddit after she was logged out of her account while completing a task.

“Professors need to reach out. They haven’t.”

Esther Mejia, Student, UC Riverside

The Riverside students’ experience underscores how central Canvas is to higher education in California — the outage likely affected more than 1 million of the state’s university students. The hack raised serious questions about how schools should check and balance their use of online platforms, the extent to which they can be held accountable for violations, and what role policymakers should play in protecting student data and regulating edtech.

The attack appears to have started on or around April 29, when Instructure, the company behind Canvas, “detected unusual activity,” according to class action filed in federal court in Texas. It exploited a vulnerability in Canvas’s free tool for teachers, the company later disclosed.

On May 4, some California State campuses experienced a brief outage, but were back up and running within 20 to 30 minutes. the university system said.

By May 7, Thursday, the platform was offline. The UC system blocked access to Canvas the same day and wrote on its website that it would not “be restored until we are certain the system is secure. We understand this outage is troubling.”

The hackers, a group calling themselves ShinyHunters, claim to have obtained sensitive data including billions of messages and threatened to reveal the data if a ransom was not paid. The CEO of Instructure said this basic “learning data (course content, statements, credentials) were not compromised” and Cal State said this Canvas does not store social security numbers.

One of Merchant’s professors, she said, created a Discord group for the class at the beginning of the term and on Thursday nights shared the materials students needed to complete a Friday assignment. She appreciated the initiative, but noted that not every student checks Discord as regularly as they would their email account.

By May 9, Saturday, UC Riverside had almost restored access to the platform, with other universities coming online in the coming days. Mejia had a test and assignment on Monday at 2 p.m. She didn’t get a note from the professor for that class until 9 a.m. that day through Canvas, she said. The professor extended the deadline by two days.

Merchant wants more professors with a backup communication plan, especially since Canvas didn’t work before. “Whether it’s cybersecurity or routine maintenance of Canvas, it will continue to be a risk. And we need to prepare for it.”

UC Riverside and the system-wide UC president’s office did not immediately respond to a request for comment.

For many colleges and high schools, Canvas has become indispensable, with teachers using it to give quizzes, message students, post grades, and more.

Nearly 9,000 colleges, K-12 schools and school districts and education services worldwide were reportedly affected by the Canvas outage, according to to the hacker group and other mediaalong with probably millions of students and teachers. California seems to have been hit particularly hard. Institutions relying on the system and affected by the cyberattack include Stanford, at least some UC campuses, USC, all 22 California State University campuses and all 116 community colleges in the state.

The number of students who will ultimately be affected by the breach can be staggering. The California State system alone includes more than 400,000 students. The UC system, where hackers claim to have hit six of 10 campuses, includes about 300,000. The hacking group named the Los Angeles Unified and Fresno Unified school districts as among their targets — they also enroll more than 400,000 students combined.

LA Community College District Vice Chancellor Nicole Albo-Lopez told CalMatters that Canvas is being used by students in thousands of courses, including as a “repository for notebooks, sharing course materials and messaging.” The district is among the largest community colleges in the country, with nearly 200,000 students annually.

Canvas, she said Friday, has not yet informed them of what was revealed in the hack. “We need to get specific information about what was available in our particular system, but we haven’t yet,” she said.

“Eggs in one basket”

One expert said the incident highlights the problem with relying on “all-in” solutions for online learning tools.

The appeal of software like Canvas is that it allows institutions without technical expertise to easily manage everything on one platform. But the hack shows the danger of relying on such centralized systems, where a breach in one company exposes the data of countless institutions that rely on it.

“The beauty of these software-as-a-service systems and what they’re selling is, ‘Hey, your staff members don’t have to manage this, we’ll just handle it,'” said Jake Chanenson, an educational technology researcher and PhD student at the University of Chicago.

At best, these companies have diligent cybersecurity teams protecting student data.

In contrast, many schools without technical departments may only be equipped to provide any new tools with “at best a cursory assessment of privacy and security,” Chanenson said. Small schools, especially after that, may find it difficult to recover from a breach or disruption.

But a centralized system also means that only one point needs to be hacked to affect every school that uses the software.

Chanenson, who is currently researching “critical infrastructure” in schools, said this

“when you put all your eggs in one basket in schools, it makes those goals very attractive.”

One state lawmaker wants a legislative audit of California’s heavy reliance on Canvas. “The Canvas breach exposes the growing risks of concentrating vast amounts of student records, academic systems and institutional operations on a single platform,” Sen. Melissa Hurtado, D-Bakersfield, said in a written statement.

what now

It may be too early to determine the implications of the hack for schools and Canvas. It is not yet clear, for example, how the breach occurred or the full extent of the data that was compromised.

At the very least, schools will want to reevaluate how much information they’re willing to hand over to third-party software companies in the name of efficiency. Those companies, Chanenson said, should also look at their policies around data collection and retention to minimize how much sensitive information they store.

“You think in your head that any set of data you have has a non-zero probability of being leaked or breached or some kind of privacy loss, then you want to start thinking about things like data minimization,” he said.

Past data breaches have resulted in legal consequences for the companies and institutions involved, including actions by attorneys general. There are federal legal protections for data belonging to children under 13 through the Children’s Online Privacy Protection Act, and for students under the Family Educational Rights and Privacy Act. In California, the Online Student Privacy Protection Act protects K–12 student data. State legislators are also actively considering additional data protection.

The state has grappled with past compromises of school data. The Los Angeles Unified School District has faced a series of class action lawsuits related to data privacy violations. Most recently, district revealed last year that a telehealth provider works with experienced breakthrough.

Chanenson points out that schools are a prime target for hackers because they hold extremely sensitive data, but often lack the technical power of other large institutions, such as banks.

“They happen with enough frequency that it’s more of a when rather than an if,” he said.

CalMatters reporter Adam Echelman contributed to this story.