It is unclear what data may have been accessed during a “cybersecurity incident” impacting post-secondary students at several Canadian institutions.
A system used at thousands of colleges and universities worldwide, including in Canada, was offline Thursday at a time when many students were studying for final exams or preparing for their next term.
The shutdown of Canvas, described by Canadian universities as a “cybersecurity incident,” appeared to be caused by a hacking group called ShinyHunters, reported The Associated Press.
The system is used to manage grades, course notes, assignments, lecture videos, among other functions, the AP said. Canvas’ parent company, Instructure, says Canvas Learning Management System is used for online, hybrid and in-person learning by more than 30 million people.
Canadian students were among those impacted by the outage, including those at the University of Toronto.
In a message on a page for U of T’s student community, the school acknowledged the outage of a system known to its students as Quercus. U of T said it was “in contact with the vendor to pursue a resolution.”
What data was accessed?
Students at the Oshawa-based Ontario Tech University were also impacted by the incident. The school posted on its website that it was working with Instructure’s cybersecurity specialists, and urged students to report suspicious activity to the school’s service desk.
The University of British Columbia posted a similar message, saying it was working to “maintain learning continuity” ahead of courses starting next week.
UBC wrote, “We also recommend that faculty, staff, and students continue to be vigilant against phishing and follow best practices for protecting their accounts and data, including using strong passwords and enabling multi-factor authentication where available.”
Just what data was accessed during the incident, if any, is unclear, according to a post by the University of Alberta.
“The university is awaiting further details from Instructure regarding the scope and impact on U of A data, including the volume and types of information involved,” a post on the outage read.
“While we are working to confirm this, we do know that data such as passwords, dates of birth, government identifiers and financial information is not stored in the U of A’s Canvas and will not have been exposed.”
The school said staff and students did not need to take any action as a result of the incidents.
In an email to CTVNews.ca Friday, Simon Fraser University confirmed it was impacted by the Canvas Cloud incident. The Burnaby, B.C., school said information that may have been accessed “includes names, email addresses, student ID numbers and messages among Canvas users.”
OCAD University confirmed the Instructure/Canvas security incident impacted its students and staff, but that access has since been restored.
Western University told CTVNews.ca in an email Friday that its Ivey Business School uses Canvas, while the remainder of the school does not. The school said in a statement, “Ivey is in the process of directly notifying anyone with a Canvas/Learn profile of this incident” and that those with profiles “should be on alert for phishing messages that claim to come from Canvas, Instructure or Ivey.
Canvas back online
A status page operated by Instructure suggested the investigation into the Canvas issue began with students being unable to log into “Student ePortfolios” at 11:21 a.m. MDT Thursday. By 2:41 p.m., Instructure posted it was investigating the issue.
Canvas, Canvas Beta, and Canvas Test were put in “maintenance mode” shortly after 5:30 p.m., where the latter two programs remained as of the last update. Canvas was available again to most users by 9:17 p.m. MDT.
U of A wrote Thursday that Instructure said the incident had been “contained.”
The system was back online Friday, the AP reported.
With files from CP24.com journalist Bryann Aguilar and The Associated Press
