A Practical Guide to Surviving a Cyberattack on Canvas During Finals

Introduction

When a cyberattack strikes the online learning platform Canvas during the high-stakes final exam period, chaos can quickly unravel weeks of preparation. In a recent incident, Instructure—Canvas's parent company—took the platform offline after detecting unauthorized activity, with a ransomware group called ShinyHunters claiming responsibility for a breach affecting an estimated 275 million users across 8,800 schools. The compromised data included user names, email addresses, student ID numbers, and platform messages, though passwords, birth dates, government IDs, and financial information remained secure. This guide provides a clear, step-by-step plan for schools, administrators, and students to respond effectively, minimize disruption, and protect sensitive information during such a crisis.

A Practical Guide to Surviving a Cyberattack on Canvas During Finals — Source: feeds.arstechnica.com

What You Need

Official communication channels (email, SMS, school website, social media) for rapid announcements.
IT security team contact or a designated incident response coordinator.
Backup exam materials (paper copies, offline quizzes, or alternative digital platforms).
Student and staff directories (updated contact info) for notification purposes.
Password manager or instructions for secure password updates.
Legal and data privacy advisor to address regulatory requirements (e.g., FERPA, GDPR).
Mental health support resources for stressed students and faculty.

Step-by-Step Guide

Step 1: Confirm the Attack and Activate the Incident Response Plan

As soon as unusual activity—such as inability to log in, altered course content, or ransom notes—is detected, the IT team should verify the breach using logs and alerts. Instructure’s example shows that taking Canvas offline preemptively can prevent further data loss. Activate your institution’s pre-existing incident response plan, which should include roles for communications, technical containment, and legal counsel. Notify Instructure via their security hotline or portal, as they may have broader network intelligence (e.g., the same ShinyHunters group involved in a prior breach).

Step 2: Communicate Transparently and Quickly

Use all available channels to inform students, faculty, and parents about the situation. Emphasize that the platform is down, exams are postponed, and personal data may have been accessed. In the real incident, names, emails, student IDs, and internal messages were exposed—but not passwords or financial details. Clear communication reduces panic and prevents rumors. Provide a timeline for updates (e.g., “next briefing in 2 hours”) and direct everyone to a dedicated FAQ page. Avoid technical jargon; use simple, reassuring language.

Step 3: Secure Accounts and Reset Credentials

Encourage all users to change their Canvas passwords immediately once the platform is restored. If the school uses single sign-on (SSO), reset those credentials as well. For students, remind them to update passwords on any other services where they used the same email/password combination (a common risk). Since the breach did not include passwords themselves, the danger is mostly from credential stuffing. Provide step-by-step instructions (e.g., “Go to your account settings, click ‘Change Password’…”). Consider forcing a password reset for all accounts as a proactive measure.

Step 4: Assess the Scope of Compromised Data

Work with Instructure’s forensic team to identify exactly which data was accessed. In the example, names, email addresses, student IDs, and internal messages were taken. Determine if any subsets—like students in specific courses or faculty with admin roles—were targeted. Then, notify affected individuals with specific guidance: students whose student IDs were exposed should monitor for identity theft (e.g., fraudulent loan applications), while those whose internal messages were accessed should be cautious of follow-up phishing attempts designed to look like previous conversations.

Step 5: Implement Alternative Exam Administration Methods

With Canvas offline, finals cannot proceed as planned. Develop a backup plan immediately: use paper-based exams in large exam halls, switch to a different LMS like Google Classroom or Blackboard (if already licensed), or move to oral exams via video conferencing. If the disruption is temporary (Instructure restored service within a day), consider extending the exam window by 24-48 hours. For online proctored exams, ensure the alternative tool has equivalent security. Communicate the new schedule clearly, and allow students who feel unfairly impacted to request accommodations.

Step 6: Monitor for Further Unauthorized Activity or Data Misuse

After the initial response, set up monitoring for new phishing emails targeting your institution using the leaked email addresses. The ShinyHunters group may attempt to exploit the stolen data by sending targeted messages that reference real Canvas messages. Instruct users to report any suspicious emails or attempted logins. Also, set up dark web monitoring services to alert if the stolen student data appears in illicit marketplaces. This step is critical even after the platform is restored, as secondary attacks often follow a breach.

Step 7: Coordinate with Law Enforcement and Privacy Authorities

Report the cyberattack to local law enforcement and, if applicable, the FBI’s Internet Crime Complaint Center (IC3). In the U.S., educational institutions must comply with FERPA (Family Educational Rights and Privacy Act) regarding the disclosure of student records. Work with a legal expert to determine if breach notifications are required to state attorneys general or affected individuals. The size of the breach (275 million people) would trigger mandatory reporting in most jurisdictions. Document all actions taken for potential litigation or insurance claims.

Step 8: Provide Emotional Support and Academic Flexibility

Finals are already stressful; a cyberattack amplifies anxiety. Offer counseling services, extend deadlines for assignments, and consider pass/fail grading options for the affected exams. Faculty should be empathetic and avoid penalizing students for technical issues beyond their control. In the weeks following, gather feedback on the incident response to improve future preparedness. Acknowledge the disruption publicly and thank everyone for their patience.

Tips for Success

Test your backup systems before finals—don’t wait for a crisis to discover that your offline exam plan doesn’t work.
Never reuse passwords across academic and personal accounts; use a password manager to generate unique, strong passwords.
Keep software updated on all devices used to access Canvas, including phones and tablets, to reduce vulnerability to malware.
Stay calm and follow official channels—rumors spread faster than facts during a breach. Only trust communications from verified school email addresses or websites.
Review Instructure’s own security advisories regularly; they often provide early warnings of threats affecting the Canvas ecosystem.
Consider cyber insurance for your institution, which can cover forensic analysis, legal fees, and credit monitoring for affected individuals.

By following these steps, schools and students can navigate the chaos of a Canvas cyberattack during finals with minimal disruption and greater data security. Remember, the key is preparation, transparency, and a focus on protecting the community’s trust.

Tags: