Cyberattack took Canvas offline ahead of KU finals. Questions about breach linger
AI-generated summary reviewed by our newsroom.
- The Instructure cyberattack took Canvas offline across thousands of universities.
- KU officials said company informed them data from Lawrence & Edwards appeared implicated.
- KU directed instructors to extend deadlines, avoid penalizing students for late work.
A Canvas outage that left University of Kansas students and instructors without access to online course materials and submission portals on the eve of finals week has been resolved, KU Provost Arash Mafi said in a message late Friday morning.
“KU Information Technology continues to monitor the situation and will reach out to spring semester instructors with more detailed information,” Mafi said in an email to students and staff.
“We recognize that this disruption affected teaching, learning, exams, and the submission of academic work,” he continued.
The outage stemmed from a cybersecurity attack on Instructure, the education technology company that owns Canvas. The platform was taken offline on Thursday after hackers commandeered it to display a ransom message threatening to leak sensitive information from 275 million users across about 8,800 universities that rely on Canvas.
In his message, Mafi directed instructors to adjust their deadlines to account for the end-of-the-semester disruption.
“Do not penalize students for missed or delayed submissions that were dependent on Canvas. You can update assignment or quiz due dates once Canvas is available,” Mafi said.
“Extend deadlines or provide flexibility for all Canvas‑based assignments,” he added. “When rescheduling affected activities, be aware that students may need time for accommodations.”
Mafi encouraged students to save timestamped copies of their work as a precaution.
In an earlier Wednesday message to university stakeholders, Vice Chancellor for Information Technology Ed Hudson said Instructure had informed KU that data from its Lawrence and Edwards campuses had been implicated.
But he attempted to assuage concerns about the apparent data breach, saying the exposure appeared to be limited to “the Instructure environment” and that “no other systems at KU were compromised.”
“User passwords are managed within university systems and are not shared with Canvas or other third-party systems,” Hudson said.
The cybercrime group ShinyHunters has claimed responsibility for the breach and demanded that a ransom payment be made before a May 12 deadline to avoid sensitive data being leaked.
Kansas State University, Emporia State University and WSU Tech, and WSU Tech, a technical college associated with Wichita State University, all use Canvas as their primary online learning management system.
Assessing the cybersecurity threat
Drew Davidson, a KU cybersecurity professor, said the Thursday Canvas outage couldn’t have come at a worse time for students trying to upload their final projects and evaluate their grades before exams begin on Monday. He has other concerns now that the system is back online.
“It was less than a 24-hour hiccup, so the real serious problem here is the exposure of data,” Davidson said.
“We know that personal information has been linked. That’s been disclosed by Instructure. Student names and emails and student IDs — that alone probably means that this data can be used in an amplification attack,” he added, referencing a type of attack where cybercriminals exploit vulnerable servers to overwhelm target systems with excessive amounts of traffic, rendering them inaccessible.
The good news, he said, is that Instructure turned off Canvas platforms voluntarily on Thursday and that access was restored successfully a day later.
“The traditional ransomware that we often see attacking big companies, hospitals and that kind of thing, is more of a data-locking ransomware or a system-locking ransomware where they say, ‘Hey, we’ve gotten in. We’ve encrypted all your data and you can’t access it until you pay us the ransom,’” Davidson said.
Davidson said Instructure owes affected universities transparency as information emerges about the cause of the breach and the breadth of sensitive data that hackers may have access to.
“The only way to move forward on these things is once Canvas knows what went wrong, they need to disclose the problem,” Davidson said. “Because if we don’t get details on how these problems happened, then we kind of can’t take the steps to fix them.”
