The online education platform Canvas is mostly back online today after a cyber attack left students and teachers at thousands of schools and universities scrambling.

More than 8,000 schools at every level, including colleges and universities across the world, use Canvas to submit assignments, access course materials, and manage grades.

The outage came at one of the worst possible times, forcing some universities to delay final exams.

The cyber attack has raised many questions about schools vulnerability, the dependence on such platforms, and other risks.

Ally Rogan zeros in on those concerns.

Ally, that's right, Canvas's parent company, Instructure, says it detected an initial breach on April 29th before a second hack yesterday brought Canvas fully offline.

A group called Shiny Hunters claimed responsibility, reportedly threatening to leak billions of private messages and other records, giving a deadline of this Sunday to negotiate a settlement.

Instructure says Canvas is now back online, and it will continue to monitor the situation, but the incident raises questions about our educational systems reliance on technology and what happens when that technology becomes a liability.

For more, I'm joined by Luke Connelly, a threat intelligence analyst at McSoft, a cyber security firm.

Luke, thank you so much for joining us.

We know that this is still a very fluid situation, but what do we know so far about how this hack unfolded?

Well, as you said, it uh seems to have taken place at the end of uh April.

There are a number of techniques that these cyber criminals use in order to gain access.

Um but once they gained access they uh they apparently started exfiltrating or or downloading stealing data from the customers of um instructure which are universities and and school boards across across North America.

So there are universities and schools affected in the United States affected in Canada and and beyond as well.

And uh from the dark website which is maintained by the criminal group Shiny Hunters, they made the claim um and with an initial deadline of the 6th of May and there was a second post yesterday saying that they've extended the deadline as you've said and when I checked the dark website this morning, neither of those posts are still there.

So there's no longer a threat up and the data has not been released on Shiny Hunter's um uh data repository site.

So something has happened today and as you say the the situation is changing daytoday and hour to hour.

So let's talk about the scope of this hack.

The hackers say that about 275 million teachers, students, staffers were affected.

Of course that's their assertion.

We don't know any there hasn't been any independent confirmation.

But but what can you tell us about how big of a deal this is?

Well, it really comes down to what information all of those educational institutions, all the schools and universities and colleges are actually using this application for.

Um I don't have visibility into that.

Uh there hasn't been any uh significant data shared online by the criminal group.

So whether they were able to download th this amount of data and how um how compromising the data is, how much personal information has been downloaded is uh up for debate.

Um they have told us as you said that they have personal personally identif identifiable information.

They've told us that they have um millions of records of conversations, personal conversations between teachers and students, but they're also criminals.

So we don't really know.

they that could be the case, but it could be a lie in order to try to pressure the victims to pay a ransom or an extortion fee.

What sort of questions though would you have about the vulnerability of this platform?

Um, aside from questions about what exactly was accessed this time, but just the fact that these hackers were able to access this much information from this many individuals, what does that say about the vulnerabilities that exist?

Well, if they're able to gain that level of access that lets them see customer data across thousands of customers, universities, school boards, schools, um teachers, students, administrative staff, there's uh there's a privilege.

There's um an access issue that's that's pretty severe.

And um you know over the last 15 years we've had this transition from companies and and schools you know buying software installing it on a computer on their premises in their building and and running it to to accomplish their their tasks.

And we've moved towards having all of that data residing in the cloud with companies like Salesforce and um in structure and and all of that data and all of the infrastructure is now maintained by them.

So we have to you know part of that part of that contract should be that they are taking adequate measures to protect the data because um the data is really where the value is and and the data is really potentially compromising for um for minor age students as as well as uh as well as teachers and staff.

And what we're seeing is that the threat actors are often targeting these software providers, software as a service providers, because if they're able to reach them once, they can get access to hundreds or thousands of schools and potentially millions or even hundreds of millions of student records.

So, it's it's a pretty dire situation.

to that point.

Um, are we overrelying on these sort of educational technology platforms to be handling all of this this sensitive information?

You know, that's a good question.

Um, and it comes down to what budgets do the school ha schools have if they were to maintain this infrastructure inhouse.

Um, one of the benefits, as I mentioned, of of going towards a software as a service offering is that you make the assumption that the service provider is going to have some specific skills and and expertise in order to properly set up um a cyber defensive strategy.

Uh unfortunately that's that's being demonstrated not to be the case because this is not the first time that uh a software provider providing uh software as a service to schools has been hacked and there was one uh a case early in 2025 and there were again millions of records breached in that in that um incident.

Luke Connelly with MCoft, thank you so much for sharing your insights.

Thank you very much.

It's been a pleasure.