Access to Canvas, the virtual learning platform used by the University of Oxford, has been temporarily suspended by the University today as a precautionary measure following an external breach of Instructure, the third-party supplier of Canvas.
ShinyHunters, a criminal hacking group, has claimed responsibility for breaching the platform and has threatened to release sensitive data, including “students’ names, their personal email addresses and messages sent between teachers and students”, unless ransom payment demands are met by 12th May. In an email sent to all students by the University, it was confirmed that “some Oxford user data is affected” and that this “may include names, email addresses… and messages exchanged between users within Canvas”.
In the email, sent on 6th May, the University said that students could “continue to use Canvas”. On 7th May, “Instructure briefly placed Canvas in maintenance mode while it dealt with the second incident; service was restored overnight”, according to a University spokesperson.
In a comment to Cherwell regarding the current suspension of the platform, a spokesperson for the University said: “The University has temporarily suspended user access to Canvas, its virtual learning platform, including Panopto recordings accessed through the platform, as a precautionary measure. The decision follows notification from Instructure, the third-party supplier of Canvas, of two incidents of unauthorised access affecting many universities internationally.
“Instructure is investigating and the University is working closely with the supplier. There is no evidence that University authentication systems, University accounts or Panopto itself have been compromised. The University recognises this disruption will be of concern to staff and students, particularly during the examination period, and is exploring measures to support access to teaching and course materials. As a precaution, staff and students are advised to remain vigilant for phishing or scam emails and to report anything suspicious to the University’s Information Security team.”
Access to Panopto, the platform which shares lecture recordings, has also been suspended. However, in the notice placed on the Canvas login page by Oxford, the University emphasised that “there is no indication that University systems or Panopto have been compromised”.
The suspension has had a significant impact on students across the University, especially for those who are almost entirely reliant on Canvas to access all materials for their course. An Engineering student told Cherwell: “Being only a week away from exams is quite frustrating, since I no longer have access to the past papers.”
A Material Sciences student told Cherwell: “It’s literally preventing me from doing any degree work as all my tutorial sheets, lecture recordings, and reading list are all exclusively on canvas”. They added that they have yet to receive any communication from their faculty regarding plans to mitigate the impact on students.
A PPE student added: “Given the pressure of a weekly deadline and the heavy reliance on Canvas for certain elements of the course, being unable to access content for several days has created needless stress.”
Some faculties have contacted their students to warn of the temporary suspension, but many remain affected and without contact. In the email sent by the History faculty to undergraduate students, they told students that “the University is putting in place measures to support access to teaching and learning materials and will seek to restore access as soon as it is appropriate to do so”, but did not expand on what these measures would involve or how long the suspension is expected to last.
The hack has affected universities across the world, with ShinyHunters listing more than 8,800 educational institutions affected, across 10 different countries – including Harvard University, MIT, and the University of Pennsylvania. ShinyHunters also claims that it has 275 million individuals’ data from across these institutions. Instructure has yet to release an official press release confirming these numbers. WIRED has suggested that never before has “a cyberattack against a single software platform so thoroughly disrupted the daily operations of thousands of schools”.
