Vrije Universiteit (Free University, or VU) Amsterdam has disconnected all systems linked to the Canvas learning management system as a precautionary measure, after the hacker group ShinyHunters claimed on Thursday evening to have gained access to the Canvas environments of several Dutch universities. The hackers are threatening to publish stolen data if Instructure does not respond by Tuesday, May 12. Seven Dutch universities have been affected.
The VU also reported the incident to the Dutch Data Protection Authority. The disconnection may have consequences for teaching and learning on Friday, according to the university. The umbrella organization Universities of the Netherlands (UNL) previously reported that, in addition to the VU, the University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology, Maastricht University, and the University of Twente have also been affected.
ShinyHunters threatens to publish data breach
The hackers’ message was visible for about half an hour on Thursday evening on the Canvas pages of the University of Amsterdam (UvA) and the VU, among others. It reads: “ShinyHunters has (once again) hacked Instructure.” The group accuses Instructure of ignoring their contact attempts and gives the company until Tuesday, May 12, to prevent the stolen data from being made public.
ShinyHunters has since built a reputation for major data breaches. Previously, the group targeted Salesforce environments, claiming to have stolen 1.5 billion records from 760 companies. Red Hat was also listed on their leak website. Within the Netherlands, Odido has been the most prominent victim this year.
Personal data of students and instructors stolen
Instructure confirmed earlier this week that personal data had been compromised, including names, email addresses, student ID numbers, and private messages between students and instructors. Passwords and financial data were reportedly not stolen. Canvas has over 30 million users worldwide; ShinyHunters claims to have data on as many as 275 million individuals.
In response, Instructure implemented security patches, increased monitoring, and rotated its application keys. Customers must reauthorize API access. The cyberattack is also causing problems in other countries; the investigation is ongoing. For many users of the software, the damage has already been done—or at least, the data breach cannot be undone. The consequences of what criminals will do with the stolen information remain to be seen.