Several Canadian universities, including the University of Toronto, University of British Columbia, and University of Alberta, are grappling with the fallout from a significant cyberattack targeting the Canvas learning management system. The attack, which has affected approximately 9,000 institutions globally, has raised concerns about potential data breaches and disruptions to online learning.
Instructure, the U. S.-based parent company of Canvas, confirmed it detected unauthorized activity on April 29th. The company believes the attackers gained access through a specific type of teacher account. While Instructure says there's no evidence that passwords, financial information, or government-issued identification details were compromised, the data involved may include names, email addresses, student numbers, and personal messages. The hacking group ShinyHunters has claimed responsibility for the attack, alleging they've stolen data from 275 million individuals, including students, teachers, and staff. The group is reportedly demanding a ransom to prevent the public release of the stolen data.
In response to the breach, some Canadian universities have taken precautionary measures. The University of Toronto temporarily shut down its Quercus system, which is based on Canvas. Other universities, like the University of Alberta, have also taken the platform offline and are urging users to be vigilant against phishing emails. The incident underscores the increasing cybersecurity risks faced by educational institutions and the importance of robust data protection measures.
This latest cyberattack highlights the need for Canadian universities to review their cybersecurity protocols and ensure adequate protection of student data. Last November, privacy watchdogs in Ontario and Alberta released a report concluding that over five million Canadians were affected by a previous cyberattack on PowerSchool, and that school boards lacked adequate response plans. The provincial privacy commissioners recommended that boards review their agreements with service providers, implement monitoring systems, and ensure adequate breach policies are in place.
