Cyberattack on education software impacts Maryland school systems, colleges and students

Educational software used by thousands of students across Maryland and the nation from kindergarten through college was back online Friday after being disrupted this week by a cyberattack.

School systems and colleges paused use of the education system Canvas to manage grades, assignments, lecture videos and other tasks in the wake of the apparent ransomware attack.

The software’s vendor, a company known as Instructure, confirmed that its Canvas Learning Management System was hacked earlier this week.

The cyberattack and subsequent outage affected public school systems in Anne Arundel, Harford, Howard, Montgomery and Prince George’s counties, as well as Baltimore City, and Anne Arundel Community College, Howard Community College, the Johns Hopkins University and the University of Maryland, College Park.

A hacking group known as ShinyHunters claimed responsibility for the breach, said Luke Connolly, a threat analyst at the cybersecurity firm Emisoft. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Connolly said.

Screen shots provided by Connolly showed that the group has threatened to leak the trove of data.

Steve Proud, Instructure’s chief information security officer, wrote on the company’s status page that the compromised information included names, student ID numbers, email addresses and messages among users.

“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions,” Proud said.

Yinzhi Cao, technical director of the Johns Hopkins Information Security Institute and an associate computer science professor, said these cyberattacks are “not that rare.”

“It’s not that rare because cyber is very important these days and hackers are trying to find different targets,” Cao said.

In an email Friday morning, Howard County schools announced that access to Canvas remained turned off. It will not be turned back on until it receives information assuring that the services are safe to use.

Earlier in the week, the school system said in a district-wide email that no student, staff or parent/guardian passwords, financial information, birth dates or other government identifiers are stored on Canvas.

Rich in digitized data, the nation’s schools are prime targets for criminal hackers, who are locating and scooping up sensitive files that not long ago were on paper in locked cabinets. Past attacks have hit Baltimore City and County public schools, Minneapolis Public Schools and the Los Angeles Unified School District.

In an email to Prince George’s County Public Schools families, shared on Facebook, the district said that while no sensitive information is stored on Canvas, the incident serves as a reminder to remain vigilant.

“We are using this as an opportunity to reinforce the importance of exercising caution when communicating by email and remaining vigilant regarding suspicious messages, spam, phishing attempts or other potentially fraudulent communications,” the email said.

Cao said universities can increase protections from attacks by raising cyber awareness, providing only necessary information to third parties (such as Canvas) and conducting routine internal tests to ensure that everything is secure.

On its status page, Instructure said that, as of 9:17 p.m. Thursday, “Canvas is Available for Most Users. Canvas Beta and Canvas Test are still in maintenance.”

On Friday, it had no reports of incidents as of 5 p.m.

The attack proved disruptive.

Elizabeth Polo was in a creative writing class at the University of Maryland late Thursday afternoon when a classmate shouted, “Canvas got hacked.” A message from a hacking collective flashed on her computer screen.

“Our whole class just like was like freaking out about it,” said Polo, a junior. “Our poor professor was trying to get everyone to calm down, but it was just kind of chaos.”

But as of Friday, some educational institutions returned to using the system.

“We alerted students last night about the Canvas outage then sent a message this morning telling them that Canvas is back online,” Doug Donovan, a Johns Hopkins spokesperson, said in a statement.

The Associated Press and Banner reporters Ellie Wolfe and Ellie Silverman contributed to this story.