Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
from Foad KosmudCalMatters
!["A]("https://i0.wp.com/calmatters.org/wp-content/uploads/2026/05/050826-Online-Education-LV-33.jpg?fit=1200%2C800&ssl=1")
This comment was originally posted by CalMatters. Sign up for their newsletters.
The last message I expected to receive on Thursday afternoon was a request from a student to defer an assignment because of a cyber attack. Canvas, the tool through which millions of students around the world submit their work, check their grades, watch lectures and take tests, was unavailable to teachers and students at the end of the school year.
People posted screenshots of the ransom note on social media. Something like this had to happen after all. That’s it inevitable consequence centralization of information.
About an hour after I got the message, I was trying to assess the damage. It wasn’t that bad for me. I give paper tests and quizzes and regularly create Slack workspaces for my classes. I mainly use Canvas to link to documents and allow students to check their results and reflect on their assessments. It was a real hassle when the only answers to “How am I doing in this class” were in a personal grade book in the instructor’s office.
But I’m probably in the minority. Many of my colleagues depend heavily on Canvas, especially for larger or online classes – ones that don’t have live lectures. For them it was “deeply destructive”, as the California Association of Educators said.
I had never heard of the parent company Instructure before, and until this hack I didn’t know that Canvas content was stored centrally. It’s at least a decade-old trend to move services off-campus to save costs. All types of records and student databases are now off site.
The idea is always the same: save money by doing things at scale. Eliminate expensive maintenance and data storage. Why pay for servers and IT staff for technology that will be obsolete in a few years? Vendors that contract with college campuses swear it’s safe, secure, and won’t be used to train AI.
The risk of having millions of student records and multiple terabytes of data in one place is rarely even considered by decision makers. The experts have warned about these vulnerabilities for over a decade. And that’s not the only problem seller doing business with universities.
Many students and faculty began reporting normal service restoration by Friday afternoon, nearly 24 hours later. By Monday, Instructure announced how the hackers did it. Everyone knows how this works when major breaches occur. Our personal information is certainly already there, like so many old passwords we get warnings about. Even if the hackers are paid, can we really trust that they deleted the data?
The real question is whether California officials and university administrators are any wiser now. Will our schools and offices continue to transfer personal data to outside companies to save a few bucks?
Of course, huge companies already store our emails and credit card transactions. We take the risk and deal with the violations. But should they also store our school grades, food orders, security footage, license plates? And who can we trust?
Some are great at security. Some clearly aren’t.
This article was originally published on CalMatters and is republished under Creative Commons Attribution-NonCommercial-No Derivatives license.