Post-secondary institutions in Ontario, such as the University of Toronto, are part of numerous schools affected by a cybersecurity issue involving learning platform Canvas. Instructure, the U.S.-based parent company of Canvas, initially reported a breach by a criminal threat actor on May 1. There was acknowledgment on May 2 that certain details of Canvas users, like names, email addresses, student ID numbers, and messages, might have been affected, but no evidence suggested that passwords, government, or financial data were compromised, according to Steve Proud, the company’s chief information security officer.
CBC News has verified that five Ontario schools were impacted by the breach: University of Toronto, Western’s Ivey Business School, OCAD University, Mohawk College, and Ontario Tech University. Among them, U of T, OCAD, and Ontario Tech confirmed that the breach did not disrupt classes as the winter terms were already completed.
According to David Shipley, CEO of Beauceron Security, this incident is potentially the largest educational IT hack in history and is deemed highly destructive. Instructure stated on Wednesday that Canvas was fully operational with no ongoing unauthorized activities, and they were assisting affected customers. Shipley noted that hackers returned on Thursday following the initial breach to extract more data, alter login pages, and demand payments from schools and students.
On Friday, Instructure spokesperson Brian Watkins mentioned that the unauthorized actor made changes to the pages visible to some students and teachers logged into Canvas. Consequently, Canvas was promptly taken offline for investigation. Watkins confirmed that the unauthorized actor exploited issues related to Free-For-Teacher accounts, leading to their temporary shutdown.
Despite the inconvenience caused, Canvas has been fully restored online for use. In a proactive move, U of T suspended access to the Quercus learning management software due to the security incident. The university assured that other systems remained uncompromised and reported the breach to the Information and Privacy Commissioner of Ontario.
OCAD University informed students about service disruptions to the Canvas Cloud program and warned of potential phishing attempts seeking personal information. Ontario Tech also took precautionary measures, urging vigilance against phishing emails and suspicious messages.
In a similar vein, Mohawk College experienced a temporary unavailability of Canvas due to the breach. However, no critical information like passwords, birth dates, or financial data was affected. The breach has also impacted schools in British Columbia and Alberta, as reported by the Associated Press.
The breach has been attributed to a hacking group known as ShinyHunters, as revealed by threat analyst Luke Connolly. This group, linked to various high-profile hacks in recent years, has threatened to leak data unless extortion payments are made. Screenshots provided by Connolly showed the group issuing deadlines for data leaks, suggesting ongoing discussions on ransom payments.
USA Today reported that a ransom letter from ShinyHunters had been circulated online, stating that data from millions of individuals across thousands of schools could be leaked without payment. The situation continues to evolve, with institutions like Ontario Tech monitoring the incident closely and advising reporting of any suspicious activities.