On May 7 LBCC had a major outage of the Canvas learning platform. Canvas was down for eight hours from about 1:30 to 9:30 p.m., disrupting many afternoon classes and cutting students off from their assignments and midterms.
Even several weeks later, students and staff might have some concerns about how this cyberattack affected the college and students’ private information. Although the college prepares as best it can, with so many digital tools in use by the college, incidents similar to this one are bound to happen again.
On April 25, Instructure, the company that owns and operates the Canvas learning platform, had a data breach in which hackers accessed Canvas systems and stole user data, such as student X-numbers, email addresses and enrollment status. On May 1, Instructure disclosed this breach in a public incident report, and the next day, they updated the report, stating they “believe the incident has been contained” and closing the report four days later.
On May 7, however, the login page for Canvas was replaced by the same hackers with a message threatening to release the stolen information from a list of affected schools unless a ransom was paid by May 12. LBCC was on that list of colleges; however, as stated by a separate incident report by Instructure, most information that was stolen by the hackers is considered “directory” or public information that can be requested of the institution without prior notice or consent. This information specifically was “usernames, email addresses, course names, enrollment information and (Canvas) messages.” The canvas messages were the only nondirectory information that was leaked and therefore posed the most concern, according to the college.
The hackers who perpetrated the hack purported to be part of a group that calls itself “ShinyHunters.” The group is a known criminal extortion group that primarily funds itself through information brokerage – buying and selling information. The group has been in operation since 2019 and has claimed responsibility for several high-profile data breaches, such as at Ticketmaster and Google. They are primarily known for sophisticated use of phishing and other attacks.
The Commuter spoke with Craig Huseby, LBCC’s chief information officer, to answer questions about how the hack affected students and what the school is doing in response. In an email sent to students and staff on May 12, Huseby noted that Instructure doesn’t believe there will be a release of any personal user information.
Instructure later confirmed in a webinar that they paid the ransom. Huseby explained that there is a reputational aspect at play for the hackers; taking the ransom and not releasing the information makes businesses more likely to pay the ransom in the future.
LBCC will not be taking any direct actions in response to the incident, as none of LBCC’s systems were directly compromised, Huseby said. While the school takes security breaches seriously, and goes to great lengths to ensure its partners are upholding security policies, this is not the only system that LBCC uses that has been breached. Further, due to the large number of different systems that the school uses the likelihood that none of them experience a breach at any point is very low.
“Nobody sees the 99 times you got it right, they only see the one time you got it wrong,” he said.
As far as specific recommendations for students, Huseby stressed three major points:
- First, do not reuse your passwords, especially for key accounts such as banks and schools. In his words, “Don’t, don’t, don’t.”
- Second, change your passwords about once a year for important accounts.
- Third, be wary of phishing emails. Be skeptical of any emails from addresses you don’t recognize, or that try to pressure you into giving away any personal information.
Instructure recommended many of the same things in their incident report, with an additional recommendation to trust your instincts. If something feels off, it likely is, and it is much easier to verify a suspect email with LBCC’s tech support department than it is to recover your information after it has been stolen. Contact them at student.techsupport@linnbenton.edu or call 541-917-4630 or text 541-704-7001.
Overall, this incident reminds users that we entrust organizations with a lot of personal information, and things happen. It’s a question of if, not when. Students and others must remain cognizant of their own digital security as well.
