The University of Toronto campus. U of T, the University of British Columbia and the University of Alberta are among Canadian schools affected by a hack that potentially impacted more than 8,000 institutions around the world.Nathan Denette/The Canadian Press
A massive cyberattack hit several major Canadian universities this week as hackers demanded ransom payments and threatened to release student data.
The University of Toronto, the University of British Columbia and the University of Alberta are among the largest Canadian schools affected by a hack that potentially touched more than 8,000 institutions around the world.
The hack locked up the Canvas learning management system, made by a company called Instructure and used by thousands of schools to organize courses and handle communication between students and instructors.
On Thursday, when students at the University of Toronto and elsewhere logged on to Canvas they saw a message from a hacking group that calls itself ShinyHunters. It had breached the company’s site, the group said, and appealed to the affected schools directly, asking they contact a cyber advisory firm to negotiate a ransom, giving a deadline of May 12. If not, they threatened to leak the stolen data.
Instructure said in a statement on its website Friday that the incident is contained and that Canvas is again available online. But some of the Canadian schools involved, such as UBC, U of A and the U of T, said Friday that their sites were not available.
“We are currently advising UBC community members not to attempt to log into Canvas until further notice,” said Thandi Fletcher, a spokesperson for UBC. “We also recommend that faculty, staff, and students continue to be vigilant against phishing and follow best practices for protecting their accounts and data, including using strong passwords and enabling multi-factor authentication where available.”
David Shipley, CEO of Beauceron Security and a former cyber security lead at the University of New Brunswick, said the scale of the attack is massive.
“As far as I can tell, and my pastime is tracking a lot of these data breach statistics, this is the largest to affect the education sector,” Mr. Shipley said.
He said it’s hard to say at this point what data the hackers may have taken, because what’s available depends on how schools use the software and what kinds of information is shared on the platform. But it could range from grades, to coursework or messages between instructors and students, he said.
“If you’re a student and you’ve lost your GPA, that’s relatively trivial. The risk is if passwords were actually somehow accessed,“ he said. ”Because what will happen is that password files, if any were exposed, would get traded and then used in AI-automated attacks to try and break into everything associated with your email.”
He said it’s too soon to judge how damaging the attack has been. It could take quite some time before institutions have a handle on what has been lost. Other schools affected include Ontario Tech University, Simon Fraser University and the Ontario College of Art and Design University.
“This is going to put extraordinarily high strain on the higher ed sector in Canada. They don’t have large security teams. They don’t have large data privacy teams. They’re going to be swimming in this, and it’s not even their fault,” Mr. Shipley said.
Instructure said it was first aware of an attack on April 29. On Thursday, the company discovered additional activity stemming from the same attack and took the site offline.
The company said the April 29 incident involved personal information such as names, email addresses, student ID numbers, and messages between users on the platform.
“We have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved,” Instructure said, in a note on its website.
Mr. Shipley said the hacking group that has claimed responsibility is notorious for its ransomware attacks on major corporations.
“These guys are the top of the cyber crime, non nation-state headaches,” he said. “They’re being chased right now by every law enforcement heavy you can imagine. The FBI wants these guys so bad.”
Ian Linkletter, an emerging technology and open education librarian at the British Columbia Institute of Technology, which was not affected, said a cyber attack on this scale highlights the reliance that many schools have on third-party software providers, in this case based in the U.S.
“This is an opportunity to assess how our safeguards failed,” Mr. Linkletter said.