Canvas is a platform developed by Instructure which is utilized by MANY educational institutions (from K-12 to major universities). The learning management system (LMS) has (once again) been hacked putting MILLION’s of students personal information at risk since the group responsible for the breach, is threatening to release it all should their ransomware demands not be met.
This web-based LMS is used by thousands of schools and millions (30 million according to Instructure) of students and educators for coursework, assignments, messaging and classroom communication. The hacking group responsible (ShinyHunters) stated over 9,000 schools worldwide are affected. The note left by the group:
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some “security patches”.”
Back in September 2025, Instructure noted a security breach (a third party provider) but without much details (this is probably what ShinyHunters was referring to).
Tangent: My take on this (having seen this from the inside when I used to be involved fulltime with tech), is that IT security has always been this nebulous area of grandiose speak that when you dig down deep enough, is something that is “full of holes” (especially in “modern” systems).
There are reasons why some old institutions have kept to using these “archaic” architectures (the COBOL programming language running on IBM mainframes still dominates banking). I know people who work in that unglamorous area because they learned this old stuff in management info systems in the 80’s and 90’s. The stuff just works for what it needs to handle.
Financial transaction processing is one of the most critical processes where most every tech since the 90’s that has tried to replace it, failed with meeting all of the stringent requirements. Similarly, banking ATM’s for the longest time relied heavily on OS/2 (which changed hands in the past and is now known as ArcaOS) which was developed by IBM in the late 80’s and 90’s to offer a similar robust operating system for personal computers (pre-Intel 80486) at the time (Microsoft however overtook it with Windows NT).
The fact is those older operating systems and vertical applications when designed for “mission critical” environments, tended to be audited and hardened with a different programmer mindset (compared to what ended up proliferating post-Y2K). And once the commercial internet became ubiquitous, a lot of that old school mindset went out the window (not helped once hardware began offer much more headroom in terms of RAM). End Tangent.
The breach caused chaos for students on Thursday when the LMS was taken offline at many of these schools in order to investigate. While Canvas was reported to be back online today after Instructure said the issue has been contained and remediated, several universities are taking a more cautious approach to restoring access; the University of California system mentioned access will not be restored “until we are confident the system is secure.”
Myself, I feel like a dinosaur reading this stuff because my entire education from K-12 to college, was handled the old school way. And even once I became involved with tech, I was never enamored with the encroachment of these computer based learning systems where you can bet that things like the security of personal information was never at the high end of the priority scale.
The corporate PR speak regarding security and privacy has always been something I’ve taken with a grain of salt (seeing for myself how sloppy a lot of this stuff was handled behind the scenes). The terms of use/service and privacy policies many of these companies put out aren’t worth the “paper they are printed on” (did you see what I did there? — it’s all text on a screen which companies that rely on harvesting your personal data, lie about (and if caught, the fines they end up paying is a pittance to the revenues they generated from it).
Many of these companies rely heavily on other partners (which can become the weak link in the chain). That doesn’t absolve any of these companies from bearing responsibility when personal data ends up being compromised. This is exactly why Discord got fried just as about their were to roll out their age verification system and had to push it back when people began looking into the partners they were using for earlier user verification.
IMHO, all of these companies should be heavily fined and/or executive/senior management be required to take huge pay cuts when such breaches which reveal a significant amount of personal data ends up occurring. The credit/identity theft monitoring services is such a blatantly weak offering by many of these firms when their top priority should be actually safeguarding that data.
And how much does anyone want to bet these educational institutions will continue patronizing Instructure versus having actual real discussions and doing their part to hold the company accountable or better yet, pulling the plug and maybe going back to the old time tested way that many of us grew up with?
Sure, there are exceptions to this (and I commend those companies and the personnel who take this privacy/security details seriously versus the usual PR word salad that many hide behind and continue to hide behind whenever they ended up with a major security breach).
