Students and teachers at Ohio State University are now able to access Canvas after a cybersecurity incident disabled access to the learning management system at colleges and educational institutions nationwide and stole some personal data during the breach.
Students and educators at Ohio State regained access to CarmenCanvas on May 8, according to Chris Booker, a spokesperson for OSU. While access has been restored, personal information such as names, email addresses, and student ID numbers was taken during the data breach, according to Instructure, the vendor that maintains Canvas.
There was “no evidence” that account passwords, dates of birth, government identifiers, or financial information were accessed, according to Instructure. However, in that same statement, the vendor said they found “no evidence that data was taken during the May 7 activity.” The Dispatch has reached out to Instructure to clarify their statement.
A hacker group calling itself ShinyHunters claimed responsibility for the ransomware attack, according to reporting by USA TODAY. Inside Higher Ed reported that the hacker group had breached Instructure and had impacted nearly 9,000 schools worldwide, including K-12 schools and as well as colleges and universities. Kent State University was among those reporting Canvas issues.
Ohio University and Columbus City Schools are also among the educational institutions that use Canvas.
According to Instructure, the hackers were able to breach Canvas on April 29 and again on May 7 through Free-For-Teacher, a Canvas tool that allows educators to create and manage courses online for free, even if their school does not have a subscription to Canvas. Due to the data breach, Instructure made the “difficult decision” to temporarily shut down Free-For-Teacher accounts, their website states.
“[Free-For-Teacher] accounts have been a core part of our platform, and we’re committed to resolving the issues with these accounts,” Instructure said. They are also temporarily suspending Free-For-Teacher accounts, Instructure said they would be “hardening” administrative processes, deploying platform-wide protections and adding additional monitoring across their platforms.
In addition, Instructure is working with a third-party forensic firm as well as with law enforcement agencies, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and international law enforcement partners, according to their website.
“As we respond to this incident, we’re focused on three things: completing a rigorous investigation, communicating verified information to impacted customers, and continuing to strengthen the safeguards that protect customer and student data,” Instructure said. “Trust is earned through actions, and we’re committed to earning yours.”
Reporter Shahid Meighan can be reached at smeighan@dispatch.com, at ShahidMeighan on X, and at shahidthereporter.dispatch.com on Bluesky.
This article originally appeared on The Columbus Dispatch: Ohio State reports access restored to Canvas after cybersecurity breach
Reporting by Shahid Meighan, Columbus Dispatch / The Columbus Dispatch
USA TODAY Network via Reuters Connect
