(Credit: CFOTO/Future Publishing via Getty Images)
The developer of Canvas is apologizing for Thursday’s massive outage, but several class-action lawsuits are already seeking damages.
Utah-based Instructure issued the apology after the incident halted final exams at numerous universities that use the online education platform for testing and assignments. The hacking group behind the outage, ShinyHunters, also stole data on potentially tens of millions of students across nearly 9,000 schools.
“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that,” Instructure CEO Steve Daly wrote in a new post.
The company’s ongoing investigation found that “usernames, email addresses, course names, enrollment information and messages” were exposed. That’s slightly different from Instructure’s initial findings, which said that “names, email addresses, student ID numbers” had been affected. That said, usernames and email addresses can still expose a student’s full name.
Daly added: “We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.”
Instructure’s CEO also revealed that hackers exploited a “vulnerability regarding support tickets in our Free for Teacher environment,” a service that enables teachers to use some Canvas services at no cost.
ShinyHunters has been known to use English-language voice calls and impersonation, including pretending to be support desk staff, while abusing IT workflows to gain access. So it’s possible ShinyHunters called up Instructure’s Canvas support, and tricked an employee into handing over internal access, possibly by visiting a hacker-created fake login portal, another tactic the group has been known to use.
In response to the hack, Instructure has temporarily shut down the Free-for-Teacher service “while we complete a full security review,” Daly said. Instructure has also launched a “dedicated Incident Update page, a single place with what we know, what we're doing, and what's next. We'll post another update within 48 hours and we're working on delivering a summary of the forensics report; which we'll share as soon as it's ready,” he added.
Instructure says the hackers were booted out on Thursday and that Canvas is safe to use. However, court records show that at least 18 lawsuits in the US have been filed against the company since the incident. ShinyHunters initially boasted about stealing “275 million individuals' data ranging from students, teachers, and other staff containing PII (personal identifying information)," in the group’s effort to pressure Instructure into paying a ransom.
One of the class-action lawsuits, filed in Texas, also alleges that “students suffered Sensitive Education Record injuries because Instructure has indicated that the data taken included messages among Canvas users, and Canvas messages often contain confidential student communications about illness, disability accommodations, pregnancy, mental health, harassment, bullying, Title IX matters, discipline, grades, financial hardship, housing insecurity, immigration concerns, family emergencies, and safety issues, among other things.”
The lawsuit adds that one of the plaintiffs, a Baylor University student and nursing major, “had planned her finals, move-out, and return to Houston around the original exam schedule. The Instructure-caused Canvas outage disrupted those plans.”
The complaint demands that Instructure pay damages and restitution, and that it be forced to increase its cybersecurity. Another lawsuit filed in Utah is suing over the threat of identity theft from hackers stealing personal information.
Instructure didn’t immediately respond to questions about the lawsuits. It’s also unclear if the company paid the ransom, although ShinyHunters has removed Instructure’s name from its extortion website. In the meantime, Daly noted: “Rebuilding trust takes time. We're going to earn it back through consistent action and honest communication. We're in this for you and your community.”