- Several Utah educational institutions were affected this week by a cyberattack on the popular Canvas online system.
- Canvas was back online Friday.
- Colleges and districts are asking students and parents to remain digitally vigilant.
Several Utah K-12 school districts and colleges are asking students and parents to remain on high digital alert following a disruptive Canvas cyberattack that affected legions of schools across the country.
The Canvas system — which is used by students, parents and schools to manage grades, assignments, course notes and other digital tasks — was reportedly back online Friday morning.
The hacking group ShinyHunters claimed responsibility for the breach to Instructure, which powers the Canvas technology system.
The cyberattackers posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft told The Associated Press.
Screenshots Connolly provided showed that the group began threatening Sunday to leak the trove of data. By Friday, Instructure and Canvas had been removed from a dedicated leak site created by the ransomware group on the dark web to publish stolen data.
Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group also has been tied to other attacks, including one aimed at Live Nation’s Ticketmaster subsidiary.
For many students and educators across the country, Canvas went down Thursday at the worst possible time as many students were unable to view course materials housed within the platform to study for final exams, according to The Associated Press.
Instructure has since reported that Canvas “is fully back online” and available Friday.
“Our external forensic partner,” according to Instructure “has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform
Hacked data likely includes names and email addresses
Several Utah schools and districts responded Thursday and Friday to the Canvas cyberattack — updating parents and students on the situation, while also offering tips on staying cyber safe.
The University of Utah reported that while it uses the Canvas learning management system, its systems were not breached.
“The university takes this matter seriously and is working closely with Instructure as they coordinate with law enforcement and third-party forensic experts to determine the full scope of the impact,” according to a University of Utah release.
The university’s release added that Instructure reported that the data involved appears to be limited to personal information typically found in the campus directory such as names, email addresses and student identification numbers.
“Instructure indicated it is possible that communications contained within the Canvas platform may have been impacted in the incident, however it has found no evidence that passwords, financial records, government identifiers or dates of birth were compromised,” according to the release.
University of Utah IT services reported late Friday morning that Canvas services were again “operational.”
The college with the state’s largest student body, Utah Valley University, reported Friday that the Canvas system was “now available” and that faculty and students should be able to access class work and resume normal operations.
“We are actively monitoring this situation and appreciate patience as we continue to evaluate the incident,” noted a UVU statement, adding that students and employees should “monitor their accounts closely for unexpected activity.”
Calls for digital vigilance
Canvas is widely used across Utah’s K-12 public schools.
Early Thursday evening, the Utah State Board of Education issued a statement saying the “full scope and status of the incident” was still being determined:
“USBE continues to closely monitor the situation and coordinate with local education agencies across the state. At this time, there is no action required from students or families. Once additional information becomes available regarding any potentially impacted individuals, appropriate notifications will be issued in coordination with relevant partners.
“Out of an abundance of caution, we encourage students, families, and educators to remain attentive and be alert to unexpected emails, messages, or potential phishing attempts that may appear related to this incident. Any suspicious activity should be reported to the appropriate local education agency IT department.”
Similar messages calling for online caution were dispatched by school districts across the state.
The Canyons School District in Salt Lake County alerted its community to the Canvas data breach, emphasizing there was no confirmation that Canyons District data was involved.
The Canyons alert added that no action from Canvas users was required — but included several tips to avoid being victims of phishing attempts or other digital mischief.
- Be cautious of unsolicited emails claiming to be from Canvas or Instructure.
- Access Canvas and other school-related websites directly rather than through links contained in emails or texts.
- Never share passwords or personal information.
- Alert the district of suspicious emails that may attempt to steal passwords or other sensitive information.
- Be skeptical of information circulating online from hackers or unofficial sources, including links claiming to identify affected schools or institutions. These links may be unsafe and could expose devices to malware.
In an email to the Deseret News, Ogden School District spokesperson Jer Bates wrote there’s been no confirmation of Ogden district’s students or employee data being compromised.
Still the district is opting to pull Canvas offline through the weekend.
“Information will not be updated between Canvas and Infinite Campus (the district’s student information database) during this time,” according to a district statement to parents.
“Grades and assignments entered in Canvas will not be imported into Infinite Campus until the connection is restored.”
2024’s PowerSchool cyberattack
This week’s cyberattacks on Canvas systems is not the first time Utah schools have had to deal with the realities of digital dangers.
In late 2024, the PowerSchool online education platform was hacked — resulting in theft of sensitive student and teacher information.
Students from several Utah school districts were among the tens of millions utilizing PowerSchool across the globe.
PowerSchool reported that personal information such as names, addresses, and in some cases Social Security numbers and medical information, were stolen by “unauthorized actors” in a data breach on Dec. 28, 2024.
The hacker (or hackers) who accessed PowerSchool data did so by using a “compromised credential” to enter PowerSource, an online portal customers can use to get help with PowerSchool’s various products for schools, Education Week reported.