Canvas Halts Breach Data Delivery After Security Threat Hits Third-Party Platform

Instructure has paused the planned delivery of breach-related data to Canvas customers after learning that the third-party platform selected for the process may have faced a security threat. The company said it will not upload institutional data until it determines that the platform is safe or selects an alternative.

The delay affects institutions expecting the first wave of information tied to a May incident involving the criminal extortion group ShinyHunters. Instructure said customers’ data remains secure while the company assesses the delivery platform.

Delivery Plan Put on Hold

Instructure had planned to begin sending data to institutions on Tuesday through a secure, permissioned ShareFile link. The links were intended to go directly to the security contacts designated by each institution.

Chief Executive Steve Daly said the company was “pausing data delivery out of an abundance of caution.” He said security is paramount and that Instructure would proceed only when it is confident the third-party platform is safe.

Incident DetailInformation Reported
Institutions affected by the claim9,000
People whose data was claimed to be accessed275 million
Information said to be includedNames, email addresses, student ID numbers, and user messages
Information Instructure found no evidence was involvedPasswords, dates of birth, government identifiers, and financial information

What Instructure Has Said About the Incident

ShinyHunters twice hacked Canvas in May and claimed access to personal identifying information from millions of people, according to www.insidehighered.com. Instructure said it had been conducting a detailed forensic review of the data connected to the incident over the following two months.

Daly previously pledged to be transparent about what happened and to provide K–12 schools and higher education institutions with information as quickly as the company responsibly could. The latest pause means those institutions will wait longer for the first set of data while the delivery method is reviewed.

Canvas is used for course delivery by 41 percent of higher education institutions in North America, giving the delay broad relevance across the sector. Instructure clarified that the potential security threat involves a third-party provider and that Instructure itself has not experienced a data breach.

Read more at: www.insidehighered.com
Related