Names, email addresses, student numbers and correspondence between students and lecturers are said to have been stolen in a hack on the US company Instructure, the creator of Canvas. The company announced this last Friday.
The hacker group ShinyHunters, previously involved in the major Odido breach, has claimed responsibility for the hack and claims to be in possession of the data of 275 million students, lecturers and other users. The group claims that Dutch students are also among them.
At least nine Dutch institutions
Lecturers at at least seven Dutch universities and two universities of applied sciences use Canvas to share course materials and assignments with students, for example. These include the two Amsterdam universities, Erasmus University, Tilburg University, Maastricht University, the University of Twente and Eindhoven University of Technology, as well as Utrecht University of Applied Sciences and Fontys.
Students can view their timetables or grades on Canvas. They can also send messages to classmates or lecturers within the Canvas environment. All that data (but not the passwords) is reportedly in the hands of the hackers.
VU response
According to the VU, the hackers have stolen data belonging to students and staff. ‘That might include names, email addresses, student IDs, and messages between users. According to Instructure, no passwords were compromised’, the VU reports in a news release. ‘VU is in contact with Instructure and has also taken extra precautions. The university is monitoring whether any student or staff data is being offered online.’ The university has made a ‘preliminary notification’ to the Dutch Data Protection Authority.
It is not yet known how ShinyHunters managed to obtain data from so many institutions. Instructure was given until yesterday to pay a ransom, otherwise the hackers threatened to make the student data public. The hacking group did the same earlier this year with data from Odido customers when the telecoms company failed to pay the demanded one million euros.
Used worldwide
The US-based company Instructure was founded in 2008. The learning management system Canvas is the company’s core business. Around 9,000 educational institutions worldwide use it. In 2024, Instructure was acquired by investment fund KKR for 4.8 billion dollars.
A key feature of Canvas is that the software does not run on the servers of universities and colleges themselves, but on Amazon’s AWS servers. Institutions are given their own login, but otherwise Instructure manages the software and the data.
In principle, the data of one educational institution is strictly separated from that of other institutions, according to a privacy audit carried out last year by the IT cooperative SURF. But that apparently did not prevent the hackers from stealing the data of millions of users.
Negotiating
According to Dutch radio station BNR, ShinyHunters is now also calling on educational institutions to negotiate individually with the hackers regarding a ransom, so that their data remains private. This could suggest that Instructure does not wish to pay a ransom. BNR refers to 44 affected Dutch educational institutions, but that figure appears to be incorrect. Some of the institutions mentioned do not use Canvas.
The University of Twente states in a message to users that it does not know exactly which data has been stolen. Following a software update this weekend, students and lecturers should be able to use Canvas safely again. The same applies to Maastricht University, says a spokesperson.