 |
| [publicdomainpictures.net] |
What happened, and when?
- April 25: criminal cyber-extortion group ShinyHunters breached Canvas security.
- April 29: Instructure, the makers of Canvas, detected unauthorized access in their systems.
- May 1: Instructure publicly acknowledged this incident, and claimed that it was “contained.”
- May 7, shortly after 2:00pm MDT: Canvas was hijacked in a ransomware attack by the threat actors; when users logged in, they saw a message posted by the hackers. This message urged individual institutions to pay the ransom, otherwise academic and personal information would be leaked.
- May 7: the University of Alberta took Canvas offline.
- May 11: Instructure reported that it reached an agreement with ShinyHunters. It is rumoured to have paid US$10 million in ransom. As part of the agreement:
- The breached data was returned to Instructure.
- Instructure received digital confirmation of data destruction (shred logs).
- No customers will be extorted as a result of this incident, publicly or otherwise. - May 14: the Vice-Provost (Learning Initiatives) held an online information session, giving a little more information about the incident.
- May 15: the U of A Provost announced that full Canvas functionality would start being restored.
What are some unanswered questions?
- Was the attack vector vishing (voice phishing)? That is, did ShinyHunters gain access to Canvas by a social engineering attack, in which a ShinyHunters member called someone at Instructure on the phone and convinced them that they were an employee who needed access?
- Instructure did admit that the attack involved Canvas’ Free-for-Teacher product somehow, and that has been permanently discontinued. How exactly was this system involved?
- What is Instructure doing to prevent this from happening again? Employees are a notoriously porous attack surface, compared to hardware infrastructure and software. You can upgrade your systems; you cannot upgrade people.
How was my class affected?
My Spring term PSYCH 258 course was directly affected: Canvas was unavailable for about a week. Fortunately, though, learning was not brought to a complete halt. I teach in person, so classes continued relatively normally. I still provide my lecture notes on my own course website, which was unaffected the incident; I just emailed the class the course URL. (Bear Tracks allows instructors to send email messages to the entire class. I also have offline class lists in my marks spreadsheets.) My course website also has copies of the syllabus and assignment documents; this is redundant with my posting of these document on Canvas.
There were two components of my courses that were impacted. First, I was unable to do in-class Wooclap polls. Well, that’s not exactly true. I was able to run the interactive polls in class on Wooclap.com, but I was not able to synchronize the results with Canvas, which is how I give participation credit. So I just gave the entire class credit for those Wooclaps. In total, four polls were affected. I have no problem giving out free marks in situations like this.
The other component was a bit more substantial. With Canvas down, how could students submit the online lab that was due on May 8? Here, too, I had a workaround. Google Forms can accept file submissions. All I had to do was email students the link to the Google Form. Grading the assignment still presented a challenge. However, Canvas was soon available with limited functionality (no access to third-party plugins like Wooclap), so I copied the submitted labs over to Canvas manually. One by one. Fortunately, some students were able to submit their labs via Canvas. But copying dozens of files took almost an hour.
What did we learn?
I have received the occasional complaint from students about having some course materials on a separate website. I realize it may be a little bit confusing and different, if you are expecting everything to be on Canvas. But I do have a link to it on Canvas, so there is not a tremendous amount of extra effort required. This incident illustrated the advantages of redundancy. In case of a disaster, not everything has to come to a crashing halt. The cost is that it takes a little bit of effort on students’ part, and a lot of extra effort on my part. I think it’s worth it.
I’m happy that the University of Alberta did not have to pay any ransom. There is no money in the budget for that. I guess I’m satisfied that Instructure paid the ransom to keep everyone’s personal information from becoming public. It’s not like I have any deep dark secrets on Canvas, but I acknowledge that students probably do not want all of their grades made public.
Finally, everyone--corporations, institutions, individuals--have a long way to go to ensure privacy and security. Yes, enable encryption and passwords on your devices; keep them updated. More importantly, be suspicious. What if you were to get a late-night email from your instructor’s email address, pressuring you to send them your login ID and password because of [reasons]? Fraud is becoming an increasing concern. According to a new study:
Scams are now one of the most common crimes in the world. In the United Kingdom, for example, scams accounts for 40% of all reported crimes. A 2024 report from the Global Anti-Scam Alliance states that about half of the world’s population is faced with a scam solicitation at least once a week.Be wary!
The cost of scams worldwide is estimated to be more than $5 trillion USD a year—roughly equivalent to the combined 2024 budgets for Germany, France, Italy, and the United Kingdom. But victims often do not recoup their funds, and for close to 90% of cases, victims do not report that fraud occurred.
Why aren’t you studying?
