.png)
NEWPORT — Only a month away from the end of the school year, the Newport School District’s designated learning management system was forced offline by a cyberattack.
Canvas is a digital platform developed by the company Instructure. On Canvas, educators can create and assign online learning materials as well as assess student learning, and students can engage in coursework and receive feedback from educators, according to Instructure. Accessible via computer, cell phone and most other devices, Canvas is a world-leading LMS with over 30 million active users worldwide. At the Newport School District, Canvas is used at the middle and high school levels.
Yet in late April, Canvas was breached by Shiny-Hunters, a cybercriminal organization responsible for major attacks across multiple sectors.
“Right now, we have no indications of any compromise of any of our systems,” said Chris Altmaier, director of technology at the district.
ShinyHunters breached Canvas twice in the first week of May — first to steal data in the form of usernames, passwords, email addresses, course names, enrollment information and messages, and second to update login webpages with a post alerting users of the cybercrime. The same post announced that Shiny-Hunters was holding the data for ransom, with threat of a leak.
According to Instructure, none of the data fields impacted contained government identifications, financial information, grades, disciplinary records or learning data such as assignment submissions.
“It really wasn’t a huge breach,” Altmaier said. “But it was a very, very scary one because of all the information that it has.”
Instructure took Canvas offline to investigate further, and with support from third-party entities like CrowdStrike and the FBI, Canvas was back online for most users by Friday, May 8.
Last week, Instructure confirmed that it had reached an agreement with ShinyHunters; as part of said agreement, ShinyHunters returned the data to Instructure and showed it digital confirmation of data destruction. There are strong indications that Instructure agreed to pay ShinyHunters’ ransom, Altmaier said, though no total has been disclosed.
Later, Instructure also confirmed that Shiny-Hunters carried out both breaches via a Free-For-Teacher account, a service not utilized by the district.
“We got [Canvas] because all colleges in Washington state have it,” Altmaier said. The district offers courses with Spokane Community College, as well as many college-level classes.
This marks the second time Canvas has experienced a cyberattack. The first occurred a couple years ago, Altmaier said, and was about as shallow of a cyberattack as this year’s.
“As long as they don’t get breached the same way more than once, generally, that’s pretty good,” Altmaier said.
Altmaier and Jamison Maybright, network analyst for the district, assisted with the state’s initial response to the cyberattack while at a conference for the Association of Computer Professionals in Education, during which the cyberattack was publicized.
Along with officials from the Office of Superintendent of Public Instruction and Educational Service Districts, Altmaier and Maybright deduced that ShinyHunters’ was likely targeting universities. Only a few elementary, middle and high schools were compromised, and none were part of the Newport School District. Neither the Cusick or Selkirk School Districts use Canvas as their LMS.
Moreover, Altmaier said the district had no “back-and-forth connection” with any university, including SCC. That means the district would not be compromised even if SCC was.
“The things that we’ve had in place for the last several years prevented a lot of it,” Altmaier said.
Still, the district has taken additional safety precautions in response to the cyberattack.
Besides shutting down access to Canvas for district users temporarily, the district notified vendors of the breaches, rotated access keys, paused information sync, inventoried connections for integrated learning tools, checked for abnormalities within district systems and investigated Canvas administration accounts, Altmaier said. The district was guided by an incident response playbook distributed by the K-12 Security Information Exchange, of which the district is a member.
As of now, Altmaier said the district is continuing to follow the investigation, as well as communicate with incident response teams. He noted that a few weeks ago, the Eastern Washington University Cybersecurity Institute conducted a cybersecurity audit on the district via a grant from Google.
“They said that we were looking pretty good,” Altmaier said. “And this kind of confirms that.”
