Canvas Paid Hackers — Student Data Risks Are Just Starting

The Canvas cyberattack of last week caused a major disruption to finals week for thousands of students in North America, preventing them from taking exams, assignments, and coursework. The breach by ShinyHunters ransomware has revealed that educational sites are now considered to be critical infrastructure in schools. Canvas said that personal information, such as full names, email addresses, student IDs, course and enrollment data, and billions of private messages were compromised, and that it paid an undisclosed ransom to get a digital confirmation from the attackers that “all affected records have been destroyed and will no longer be recoverable.”

The first result was paying the ransom and criminals’ assurances of avoiding a leak. However, the Canvas breach prompts a larger question: Does the money paid to a hacker actually ensure the protection of student information and can a school believe the assurances of criminals when it comes to the deletion of data?

Ransom will prevent immediate leakage, but it will not help recover stolen information. Student information is once it is exfiltrated, it can pass through many hands. As in the PowerSchool incident, extortion can occur beyond the payment. If so, then they were reportedly paid up and then went back to extortion for thousands of school districts.

Criminals, like ShinyHunters, work for profit and reputation. Their business model is that they tell victims that paying will minimize harm. Some extortioners will honor the promise, but that doesn’t mean they’re trustworthy. There is a risk of data being duplicated, for affiliates to store files, and for the archive to reappear months later, for identity theft, targeted social engineering and safety issues for students and staff.

The Canvas incident reveals that cloud-based platforms are the many pillars of the modern educational experience. Canvas is the classroom, gradebook, messaging system, exam system and records pipeline in many schools. The failure of one platform cascades: students aren’t able to take finals, teachers can’t log in to coursework, and administrators try to get on top of it.

The concentration of functions raises the stakes in the school cybersecurity and student privacy arena. The attack has exposed the vulnerability of more than 8,000 schools and millions of students and teachers to just one attack. But not only are companies able to come to an agreement with attackers, institutions and families must be sure that the information of their students is actually secure after the ransom is paid.

If the attackers gain access to students’ records, the problems are not limited to the immediate disruption. When names, emails, and student ID’s are exposed, the risk of identity theft is evident. Stolen data can also be used to create social engineering attacks and deceive students, parents, and employees into disclosing more personal information. If financial information and Social Security numbers are not in the leak of Canvas, then the information that is public can be used in conjunction with other sources to create dangerous profiles.

The long tail of harm needs to be taken into account here too – archived copies of messages, enrollment records can be used months or years later. The PowerSchool case illustrates that even if someone promises to delete information, it still doesn’t stop the future extortion or leakage. The history of such practices makes it logical that communities should seek greater assurances and independent verification from companies about data destruction.

The Canvas breach should be a cautionary tale that paying ransom is a temporary solution, not a solution. Institutions and vendors should focus on multiple layers of security and contingencies. Key actions include:

• Backup plans and redundancy: Ensure that there are off-line or alternative systems for critical functions in place, in case of exits, so exams and grade reporting can proceed.
• Data minimization – Minimize student data stored on a single platform and only keep what is essential.
• When a vendor says that data has been destroyed, look for independent verification, such as through an audit or forensic report.
• Incident response drills: Simulate realistic output scenarios, and have teachers and students have clear, rehearsed procedures in case of a platform failure.
• Transparent communication: Give students and families clear, compassionate information on what data was impacted and what protections are being taken.

While these measures won’t eliminate the risk, they will limit the use of a single vendor and make it more difficult for attackers to wreak mass havoc.

The incident in Canvas is a challenge to the education ecosystem of trust. Payment of a ransom might prevent a current leak, but it does not eliminate the uncertainty about the safety of student information in the long run. The protection of students and staff is a responsibility of both the school and the vendor/policymaker. This is about making data systems more resilient, necessitating independent verification after breaches, and data protection as a continuous obligation rather than just a business transaction.

Students and families should get answers and lasting protections. Discussions after the Canvas compromise should be about what precautions can be taken, what assurances can be made, and what contingency plans can be developed to continue teaching in classrooms and build trust in communities when the next breach occurs, rather than what we wish had happened.