Cybersecurity Breach Impacts SMC’s Canvas Site

Canvas, an online educational tool operated by the company Instructure, was hacked on May 7, leaving students and faculty unable to log in to the site until Friday morning.

The incident began on May 1 when Instructure disclosed that Canvas experienced a cybersecurity incident by a “criminal threat actor,” according to CNN. Although the breach was contained, usernames, email addresses and student ID numbers were among the data stolen. 

Halcyon, a ransomware research center, noted that on May 3, black-hat criminal and extortion group ShinyHunters listed Instructure on its website, claiming that roughly 3.65 terabytes of data were stolen. By May 5, negotiations with the group and Instructure fell through as they did not meet demands, claiming that the latter “had not even bothered speaking to us to prevent a data leak.”

By May 7, users reported disruptions and the Canvas login page being replaced by a ransomware message by ShinyHunters, reading that Instructure had until May 12 to negotiate a settlement before all the data was leaked. The group also invited all affected institutions to consult with a cybersecurity firm to reach a compromise. 

In a campus-wide statement by Santa Monica College President and Superintendent Kathryn Jeffery, SMC’s Information Technology Department disabled all user logins to the Canvas page and instead redirected them to a webpage sharing the latest updates of the incident. By 5:45 p.m. the same day, many institutions, such as SMC, were removed from ShinyHunters’ extortion list.

On the morning of May 8, Instructure announced that Canvas was accessible for most users. In a statement addressed to SMC faculty by SMC’s Vice President of Academic Affairs, Jason Beardsley, full access would not be restored until a final security assessment was completed by the IT Department in accordance with the guidance from the California Community Colleges Chancellor’s Office. At 7:40 p.m., Canvas was restored to all SMC users.

While there is no evidence to suggest that passwords, government identifiers or financial information were leaked, SMC IT’s Department advises all students to avoid clicking on unexpected links or pop-ups, refrain from sharing personal information in response to unfamiliar messages and to report all suspicious emails immediately to SMC’s IT Department. 

“As Canvas access is restored and online participation resumes, please show grace to yourselves as well as to students,” Beardsley said.