Several top Canadian universities hit in massive global data breach
Major universities in Canada are among thousands that have been impacted by a worldwide data breach involving the learning management system Canvas.
Canvas’s U.S.-based parent company, Instructure, first notified users about a “cybersecurity incident perpetrated by a criminal threat actor” on May 1.
On May 2, the company shared that the Canvas data breach involved user information, including names, email addresses, and student ID numbers, as well as messages among users.
“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions,” stated Instructure.
As of Wednesday, the company says Canvas is fully operational, and the data breach has been resolved. It advised users to follow security best practices, including using multifactor authentication on accounts and reviewing admin access.
Universities impacted by the Canvas data breach
Todamo/Shutterstock
Several universities in Ontario were affected. On Thursday, the University of Toronto shared a notice on its community page alerting users of a cybersecurity incident involving Quercus, which is what Canvas is known as at the school.
“The parent company of Canvas (known at U of T as Quercus) is managing a cybersecurity incident. Multiple universities are affected. We are in contact with the vendor to pursue a resolution,” it reads.
U of T has not shared an update as of Friday morning.
OCAD University also notified students about the Canvas data breach and advised them to be aware of phishing messages that claim to come from Canvas, Instructure, or OCAD.
“Especially messages asking you to click a link, re-enter your password or provide personal information,” stated the university.
Ontario Tech University’s website also has a notice regarding the cybersecurity incident and advises users to report suspicious activity.
In western Canada, the University of Alberta shared an update Friday morning, stating that Canvas is still offline and that it is working with Instructure to learn more.
“University of Alberta Canvas users should not attempt to access Canvas until further notice,” reads the notice. “More information about how this will affect courses and exams, and other updates will continue to be provided through this page as new information becomes available.”
UBC also warned its students of the cyberattack on May 7.
“The university is working to maintain learning continuity for courses starting next week and will be contacting affected community members in the coming days,” reads a notice from Thursday evening.
The school also warned staff and students of phishing and advised them to use strong passwords and enable multifactor authentication.
In an email to Daily Hive, SFU said it’s currently investigating the situation, adding that the incident affected around 9,000 universities worldwide.
Daily Hive has reached out to McGill University and the University of Calgary for confirmation on whether they were impacted by the Canvas data breach.
Who might be behind the Canvas data breach?
Brian A Jackson/Shutterstock
Cybersecurity journalists from Hackread reported that the incident is linked to the cybercrime group ShinyHunters.
The publication says it obtained the full list of affected institutions impacted by the Canvas data breach.
“It is massive, indicating the vast scale of the theft and impacting around 15,000 institutions across the U.K., Europe, and the U.S.,” reads a report from the news outlet.
“ShinyHunters claim that they have stolen 3.65 terabytes of data. This includes a whopping 275 million records, and it isn’t just basic info, as it contains billions of private messages between students and teachers.”
Some of the universities Hackread mentioned that were on the list include:
- University of Oxford
- University of Melbourne
- University of Cambridge
- University of Hertfordshire
- University of British Columbia
- Harvard, Stanford, and Columbia University
With files from Amir Ali