When students in New Zealand opened their laptops at some point in early May to access Canvas, the learning platform that the majority of them use on a daily basis to access lectures, turn in assignments, and message their professors, they discovered nothing. The system wasn’t working. Not momentarily, not in a restricted manner, but completely and unexpectedly offline, leaving thousands of students in the middle of the semester with impending deadlines and no idea when things would get back to normal. It’s the type of interruption that initially appears to be a technical annoyance. It wasn’t.
The American technology company Instructure, which runs Canvas as a global service, was the source of the breach rather than any one university. Unauthorized access to Instructure’s systems allowed a criminal group to obtain data from approximately 9,000 educational institutions across the globe, according to the company. Some of the biggest universities in New Zealand were affected, including Auckland, AUT, and Victoria University of Wellington, whose Canvas system is known locally as “Nuku.” Names, email addresses, student ID numbers, and the contents of Canvas inbox and discussion board messages were among the information made public. private discussions. internal notes. the type of private digital correspondence that people send without giving security much thought.
Here, it’s important to consider the nature of what was taken. Instructure quickly clarified that no passwords, financial data, grades, or government identifiers like IRD numbers were compromised. In a narrow sense, that is comforting. However, for anyone wishing to conduct a targeted phishing campaign, names paired with student IDs paired with private message content is actually a fairly rich dataset. Experts in cybersecurity noticed this right away. It’s not necessarily a worry that a list of Auckland students will be posted online. The worry is that a criminal organization can create convincing, customized scam emails that are far more difficult to spot than generic fraud attempts by using contextual information about these individuals’ identities and academic discussions. In some respects, that threat is more dangerous, but it is also more subtle.
Most people agree that the University of Auckland handled the situation in a methodical, if not exactly comforting, manner. Over the course of several days, updates were made to the university’s website, including an acknowledgement of the breach, a postponement of Friday assessments, and a warning that the system remained unstable even after Instructure declared the incident resolved. There is a significant difference between “technically resolved” and “safe to use,” and the university deserves praise for staying within that boundary instead of pushing students back onto the platform. However, witnessing IT personnel go through “final technical verification” was not very reassuring for anyone sitting on an assignment that was due that Friday.
Not all institutions performed the same. Universities in Canterbury and Otago fared relatively well, which attracted immediate attention and, to be honest, some jealousy from other students. It turned out to be a simple explanation: instead of using the centralized Canvas infrastructure, those universities employ independent or localized learning management systems. This was presented by one commentator as a reason to completely abandon multinational data platforms. That might be an overcorrection. However, the concentration of risk is uncomfortably apparent when thousands of institutions experience a single vendor failure at the same time.
Eventually, Instructure declared that it had come to a “agreement” with the hackers, which apparently included returning and erasing the stolen data. New Zealand’s National Cyber Security Centre acknowledged that it was keeping an eye on the situation. To put it mildly, not all security experts were impressed by the notion that a deal with a criminal organization represents resolution. Once extracted, data is difficult to confirm is actually erased. A lingering feeling in all of this is that the full repercussions for impacted students might not materialize for months, discreetly, in the form of a suspicious email that contains just enough personal information to appear authentic.
Canvas is back online for the time being. Resubmissions of assignments are being made. The semester is still ongoing. However, it’s difficult to ignore the fact that hundreds of thousands of students went about their academic lives believing that a platform they were forced to use was protecting their data. Suddenly, however, they realized that the question of who actually controls their data is far more complicated than a login screen suggests.
