They make you do it – they, in this case, being the folly-fouled leaders of educational institutions – because it’s all in the name of organizational efficiency, productivity, and purpose. Engage what is often erroneously called a Learning Management System (LMS), submitting personal details, papers, and assessments into its maw. Instructors and academics are also required to generate intellectual profiles for subjects and courses, leaving students with the false impression that what is not on the platform cannot possibly exist. Should you be a conscientious objector to this hungry, data-gobbling system, you are ostracised, condemned as a pencil-loving Luddite.
On April 30, Instructure, the Salt Lake City-based education technology company behind Canvas, a widely used LMS, temporarily went offline. On May 1, the company confirmed that it had experienced a “cybersecurity incident perpetrated by a criminal threat actor.” The problems had largely been resolved by May 2, with Instructure promising continued monitoring and an investigation into how the attack occurred. Its security system had been patched, certain credentials and access tokens revoked and reissued, and API (application programming interface) keys rotated “out of an abundance of caution.” Normal operations resumed the next day.
On May 3, the specialist extortion group ShinyHunters, which publicly emerged in January 2020, added Instructure to its Tor-based site, boasting the theft of 3.65 terabytes of data by exploiting the “Free-For-Teacher” vulnerability in the Canvas platform. Information belonging to 275 million students, teachers, and other individuals at some 8,809 education institutions across the globe had featured. Instructure, while admitting the hack had secured access to personal information (names, email addresses, student ID numbers, and user messages), claimed to find “no evidence that passwords, dates of birth, government identifiers, or financial information were involved”.
ShinyHunters sought negotiations with Instructure, threatening to leak its pilfered trove of data by May 6. A new deadline was issued for May 8. Instructure, at least publicly, was not having a bar of it, using its status page to declare the incident closed. On May 7, in extending its deadline, the group began threatening specific institutions for extortion and injected a defacement message across 330 institutional Canvas login pages. “ShinyHunters has breached Instructure (again),” crowed the note. “Instead of contacting us to resolve it, they ignored us and did some ‘security patches’.”
The defacement prevented the effective use of Canvas accounts by staff and students and of any materials posted on the platform. Canvas assumed an offline maintenance status and suspended its Free-for-Teacher service. Stirrings of panic were registered by various student bodies regarding the loss of work, disruption to exam preparation, and a block on the submission of research papers. A number of universities – Idaho State University and Penn State University, for instance – canceled and postponed scheduled exams.
Instructure was then removed from ShinyHunters’ data leak portal, something the group tends to do when the target company initiates contact. The strategy for targeting individual institutions, however, was alive and well, with the threat that the pinched data set would be released if negotiations with the group were not commenced.
The Halcyon Ransomware Research Center helpfully outlines the implications of the theft. Targeted phishing campaigns can be executed against staff, students, and parents in the wake of exfiltration. “Leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks.” Some mighty fine advice is also given. “Students, parents, and personnel at affected institutions should be considered, and institutions should issue phishing advisories and direct communications immediately.” Halcyon further recommends the deployment of “a dedicated anti-ransomware solution that detects and prevents ransomware runtime behaviour and data exfiltration attempts … and prevents tampering and network intrusion that enable propagation”.
Such detail and responsibility proved too much for many institutions to master. As the devil was to be found in the detail, detail would be spared. The best Adelaide University could do in a statement on May 11 was to announce that access to Canvas had been restored, that extensions to assessments had been granted, and to encourage “all users to please remain alert to phishing or suspicious communications.” Students at the institution, already disgruntled by the tangles produced by the merger between the University of Adelaide and the University of South Australia, were less than impressed. Ethan Brown, a second-year mechanical engineering student, told the Australian Broadcasting Corporation (ABC) that the university had been meager in its communications with students. “It did take me a little while to actually find out [what happened] because I didn’t find out directly from the uni. I just heard about it from a friend and from articles online.”
Shannon Schmidt, reading for a double degree in international relations and arts, spoke of the disruption as messing “with a lot of things to do with my course material and submissions” while wondering why so many universities preferred one third-party provider. “I reckon all unis that have been affected should tighten security, if this wasn’t a wakeup call, then I don’t know what will be.”
The modern institution of learning has long been blighted by management philosophies that treasure budgets over intellectual prowess, false efficiency over the acquisition of knowledge. Dotted agreements are made with consultants who feed fetid dross to rapacious managers keen on restraining expenditure in favor of criminally inflated salaries. The response to the Canvas hacking shows laziness, indifference, and an almost torturous neglect of the welfare and privacy of students and staff.
Remarkably, these institutions refuse to consider alternative systems in the event of a cyber failure, whether an indigenous platform unique to them and separate from cloud-based models, or a backup mechanism to circumvent disruptions. Then there is the heretical prospect of analogue options: the oral examination, the answer briskly penned on paper in a classroom. A sociology student interviewed by the University of Melbourne Student publication Farrago summed up matters with some crispness: “I think it works wonderfully well with the whole ‘going analogue’ vibe we’ve been cultivating as a culture this year,” she stated, sporting a Disc-man. “This should be a wake-up call to the university to invest in physical media. Get with the times!”
Unfortunately, little can be expected by way of redress. The managerial university remains a constipated entity hostile to the safety and welfare of those toilers who learn and work within it. “Platform concentration risk”, as the computer boffins like to term it, promises more mayhem, disguised as a digital nirvana.