The University of Iowa’s campus in Iowa City was one of many US colleges affected by the Canvas outage. The system, widely used in American education, suffered a cyber-attack that disrupted final exams across the country.
On Thursday, a nationwide Canvas outage left students and faculty scrambling as the academic year came to a close. Many students took to social media to express panic over losing access to course materials needed for final exams.
Impact on Schools and Universities
Universities and school districts quickly notified students and parents. The University of Texas at San Antonio announced it was postponing finals scheduled for Friday due to the outage. The director of information technology at the University of Iowa’s College of Public Health described it as a national-level cybersecurity incident.
Virginia Tech acknowledged the effect on final exams and end-of-semester activities. The University of New Mexico sent a similar message, while the University of Florida warned students about potential phishing messages posing as Canvas.
Teachers and Students Struggle
Teachers had to find workarounds to help students study and submit assignments. Damon Linker, a senior lecturer at the University of Pennsylvania, noted on X that his students relied on Canvas for all readings and lecture slides. He described the situation as leaving students and faculty “dead in the water.”
The Harvard student newspaper reported the system was down there, and Johns Hopkins University students received error messages when trying to view final grades. In Spokane, Washington, public school officials reassured parents that no sensitive data appeared to be compromised.
Hacking Group Claims Responsibility
The hacking group ShinyHunters claimed responsibility, according to Luke Connolly, a threat analyst at Emsisoft. Instructure, Canvas’s parent company, did not respond to requests for comment. The group posted that nearly 9,000 schools worldwide were affected, with billions of private messages and records accessed.
Connolly provided screenshots showing the group began threatening to leak data on Sunday, with deadlines of May 7 and May 12. The later date suggests ongoing discussions about extortion payments.
Education Sector Under Cyber Threat
US schools, rich in digitized data, are prime targets for criminal hackers. Past attacks have hit Minneapolis public schools and the Los Angeles Unified School District. Instructure has not posted about the attack on social media.
Connolly noted the Canvas attack resembles a breach at PowerSchool, where a student was charged. ShinyHunters, a loose group of US and UK teenagers and young adults, has also been tied to attacks on Live Nation’s Ticketmaster.
