News US

Another Security Threat at Canvas?

Two months after Instructure made a deal with hackers to salvage troves of stolen user data, the company—which owns the popular learning management system Canvas—has paused the delivery of data related to the breach because of a potential security threat with a third-party delivery platform. 

In May, a criminal extortion group known as ShinyHunters twice hacked Canvas and claimed that it gained access to the personal identifying information of 275 million people across 9,000 institutions. At the time, the company said the leaked information included names, email addresses, student ID numbers and user messages, but it “found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.” 

In the aftermath, Instructure CEO Steve Daly vowed to be “transparent about what happened” and provide K–12 schools and higher education institutions “with information as quickly as we responsibly could.” Over the past two months, Instructure has worked “to conduct a detailed forensic review of the data involved in this incident,” Daly said in a memo last week.

On Tuesday, the company was set to deliver to institutions the first wave of data related to the breach.

Instead, Daly said Tuesday that the company is “pausing data delivery out of an abundance of caution” after learning that “the third-party platform we’ve selected to deliver your data may have been subject to a security threat.” (In a previous memo, Instructure said institutions would receive the data “through a secure, permissioned ShareFile link sent directly from Sharefile only to the security contact(s) your institution has designated.”)

Daly assured customers—which includes the 41 percent of higher education institutions in North America that use Canvas for course delivery—that though their “data remains secure,” the company “will proceed only when we are confident the third-party platform is safe … Security is paramount, and before we upload your data, we want to take the time to assess the platform’s safety or find an alternative.”

This article was updated to clarify that the potential security threat was with a third-party provider. Instructure has not experienced a data breach.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button