SALT LAKE CITY — Thursday started like any other school day for most students.
“I just got done looking at emails, and I was talking to friends and stuff, and I was about to go to biology,” said Lance Chase, who is home-schooled.
Chase is preparing for his graduation on May 21, but became nervous during a disruption to the Canvas service he and millions of others rely upon.
“I was sitting here like, I did not work this hard to graduate just to basically get it ripped away from me just a couple weeks before,” he said.
Students and teachers around the world logged into Utah-based Canvas as usual on Thursday, but to their surprise, the system wasn’t working due to a security breach. Some even received a message from the suspected hackers themselves.
Chase saw a notification that said the website was under construction. That was before his mom, Hope, got more information.
“I got emails and texts about school not working. His fear was, 'I did log in, but am I going to be counted absent because I can’t do any work.' Then I got an email last night saying school was canceled today,” Hope said.
Based in Cottonwood Heights, Instructure operates Canvas and said the issue had been resolved as of late Thursday.
“Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in," the company explained. "Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate."
Instructure temporarily shut down its Free-For-Teacher accounts.
"This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
The incident wasn't the first time Instructure has had an issue. A lawsuit was filed in Texas last year, with the attorney on the case claiming it identified the exact kind of breach as a risk. Although the lawsuit was dismissed, it is currently under appeal.
Canvas is back up and running, but cybersecurity expert Nabil Hannan said vulnerabilities are always going to exist with different software.
“In cybersecurity, often we stop thinking about the human element of things because we think we can maybe buy technology or solve problems with technology, but ultimately, humans are the weakest link. We are the weakest link in all of this ecosystem. If you can compromise a person, you can compromise anything else,” explained Hannan, who serves as Field Chief Information Security Officer with NetSPI.
Hannan added that it’s no surprise hackers targeted an educational institution, because of the unique fingerprints for users.
“The damage is done," he shared, "so you can’t really do anything about guarantees about your data being safe and isn’t exposed anymore."
