The company behind Canvas, one of the most widely used online learning platforms in North America, says it has reached an agreement with hackers following a cyberattack that affected major universities and schools in Canada and around the world.
According to Global News, Instructure, the United States based parent company of Canvas, confirmed Monday that it had reached an agreement with the unauthorized actor involved in the incident. The company said the stolen data had been returned and that it received digital confirmation showing the data had been destroyed.
The hacker group ShinyHunters claimed responsibility for the breach and alleged that it had taken data belonging to 275 million people connected to nearly 9,000 schools worldwide. The group said the affected information involved students, teachers and staff, though the full scope and sensitivity of the exposed data remains unclear.
Several Canadian institutions were impacted by the incident, including the University of Toronto, the University of British Columbia and the University of Alberta. Canvas is commonly used by schools and universities to manage online courses, distribute assignments, share learning materials, handle grades and support communication between students and instructors.
The University of Toronto temporarily shut down Quercus, its Canvas based learning system, as a precaution and warned users not to access the platform. The University of Alberta also took Canvas offline after users reported seeing an unauthorized message while trying to log in.
The University of British Columbia advised students and staff not to use Canvas and told anyone already logged in to sign out and change their password. Other Canadian institutions, including Simon Fraser University, Mohawk College and OCAD University, also reported disruptions connected to the incident.
Instructure said no individual customers need to contact or negotiate with the unauthorized actor, adding that the agreement covers all affected customers. The company also said it had been informed that no Instructure customers would be extorted publicly or privately as a result of the breach.
