Full Report
Universities across the US reported widespread outages on Thursday after a cybersecurity incident affected the Canvas online learning platform used by colleges nationwide. The disruption involved software from Salt Lake City-based Instructure, which operates Canvas and builds technology for online learning and corporate training. Universities including Stanford, Columbia and Princeton were among the schools that reported outages tied to the incident or warned students to remain alert for suspicious messages.
Analysis Summary
# Incident Report: Widespread Canvas Platform Outage and Data Breach
## Executive Summary
In May 2024, a major cybersecurity incident targeted Instructure, the parent company of the Canvas online learning platform, resulting in widespread service outages across numerous US universities. The incident led to the unauthorized access of sensitive student and faculty information, including PII and internal communications. Initial reports and threat actor claims suggest a large-scale data theft and extortion attempt by a known cybercriminal group.
## Incident Details
- **Discovery Date:** May 1, 2024
- **Incident Date:** May 1, 2024 – May 7, 2024 (Ongoing)
- **Affected Organization:** Instructure (Canvas LMS)
- **Sector:** Education Technology / Higher Education
- **Geography:** United States (National)
## Timeline of Events
### Initial Access
- **Date/Time:** On or around May 1, 2024.
- **Vector:** Likely credential compromise or vulnerability exploitation (unconfirmed).
- **Details:** Instructure CISO Steve Proud reported a cybersecurity incident involving a “criminal threat actor.”
### Lateral Movement
- **Details:** The threat actor gained sufficient access to Instructure’s systems to affect the Canvas platform globally and access databases containing university-specific data.
### Data Exfiltration/Impact
- **Details:** Compromised data includes names, email addresses, student ID numbers, and internal messages/correspondence between users. Threat actor "ShinyHunters" claimed responsibility, indicating intent to extort.
### Detection & Response
- **Discovery:** On May 1, Instructure identified unauthorized activity. On May 7, service outages became widespread and public.
- **Response actions taken:** Instructure initiated an investigation; universities (Harvard, BC, Stanford, etc.) disabled access or displayed "scheduled maintenance" screens to protect users.
## Attack Methodology
- **Initial Access:** Unconfirmed (ShinyHunters often utilizes credential stuffing or cloud misconfigurations).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential theft of student/faculty credentials or session tokens.
- **Discovery:** Reconnaissance of Instructure's multi-tenant database environment.
- **Lateral Movement:** Movement within Instructure’s infrastructure to access various university tenants.
- **Collection:** Gathering of PII and user messages.
- **Exfiltration:** Large-scale transfer of student identifying information.
- **Impact:** Platform-wide outage (Denial of Service) and data breach.
## Impact Assessment
- **Financial:** Unknown extortion demand from ShinyHunters; potential forensic and legal costs for Instructure.
- **Data Breach:** Names, emails, student IDs, and private user communications.
- **Operational:** Total loss of access to learning management systems for Ivy League and major state universities, disrupting courses and grading.
- **Reputational:** High public visibility; erosion of trust in third-party EdTech providers.
## Indicators of Compromise
- **Network indicators:** Requests originating from known ShinyHunters infrastructure (infrastructure details not public).
- **File indicators:** Not disclosed.
- **Behavioral indicators:** Large-scale unauthorized data exported; platform-wide "Maintenance" redirect screens on Canvas domains (hxxtps[:]//canvas[.]instructure[.]com).
## Response Actions
- **Containment measures:** Instructure restricted access to affected modules; Universities triggered emergency notification systems.
- **Eradication steps:** Ongoing system hardening and credential resets for administrative accounts.
- **Recovery actions:** Harvard and other institutions provided status updates as Instructure worked to restore platform availability.
## Lessons Learned
- **Key takeaways:** Third-party systemic risk is high in the education sector; a single point of failure (Canvas) can disrupt the entire US higher education landscape.
- **What could have been done better:** Earlier transparent communication from the vendor to affected universities might have allowed for more proactive phishing defenses.
## Recommendations
- **MFA Implementation:** Ensure Multi-Factor Authentication is enforced for all LMS administrative and student accounts.
- **Phishing Awareness:** Conduct immediate training for students regarding suspicious messages claiming to be from "IT Support" or "Canvas Admin."
- **Vendor Risk Management:** Universities should review the data retention and security policies of third-party SaaS providers.
- **Monitoring:** Implement enhanced logging and monitoring for anomalous API calls to the Canvas platform.