Cyberattack Cripples UC, CSU Schools During Finals, Thousands Of Records Stolen

LOS ANGELES, CA — Systems have been restored and an investigation was underway Friday after a cyberattack disrupted access to a key education computer platform used by California State University campuses, UCLA and thousands of schools nationwide.

The attack, allegedly carried out by a hacking group called "ShinyHunters," targeted Instructure, developer of the Canvas education platform used at universities and school systems nationwide. The attack apparently began more than a week ago, but it led to outages of the Canvas system on Thursday.

CSU officials said 22 campuses were impacted, and the Los Angeles Community College District said all of its nine campuses were attacked. Additionally, University of California, Stanford University, University of Southern California, and Los Angeles Community College District students, staff and faculty were impacted by the cyberattack. Several community college districts and a handful of K-12 school districts were also impacted.

The Long Beach-based California State University system confirmed that Canvas was down at all of its campuses, and the Chancellor's Office.

Instructure said the data breach included names, email addresses, student ID numbers, and messages in the platform but not passwords, dates of birth, financial information or government identifiers.

On Friday, Instructure said Canvas had been restored but some schools are continuing to block access, including many in California such as UCLA.

UC officials posted a statement online Thursday night which said all campuses were instructed to "temporarily block or redirect Canvas access."

"Out of an abundance of caution, the University of California Office of the President has instructed all UC locations to temporarily block or redirect Canvas access, and Canvas access will not be restored until we are confident the system is secure," the notice read.

An alert posted by the UCLA Chief Information Security Officers acknowledged the outage and said "our vendor is working toward a resolution." Other University of California campuses were also being impacted.

San Diego Unified School District was among a few public school districts affected by the cyberattack, prompting officials to shut down access to Canvas.

Last week, Instructure was breached after a hacker group believed to be ShinyHunters claimed to have stolen hundreds of millions of student and employees records from about 9,000 schools in the United States, Australia and Europe.

Canvas is used to manage grades, course notes, assignments, lecture videos and more. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, said Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft

Screenshots Connolly provided showed that the group had been threatening to leak the trove of data. By Friday, Instructure and Canvas had been removed from a dedicated leak site created by the ransomware group on the dark web to publish stolen data, he said.

Canvas went down Thursday at the worst possible time, which came as no surprise to Huseyin Can Yuceel, the security research lead at Picus Labs.

“Timing is everything, because they want to inflict pain as much as possible,” he said, “so they can extort money out of it.

The hack came as many students were using the Canvas system to take final exams. Some users reported that a message appeared on their computer screens from Shiny Hunters, which claimed to have captured the data of hundreds of millions of users which would be released if affected institutions did not arrange a "settlement" with the hacking group.

Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. Past attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District.

In November, ShinyHunters breached Harvard University, the University of Pennsylvania and Princeton. It has also claimed responsibility for data breaches at Ticketmaster and AT&T.

Instructure officials stated on the company's website that it was investigating and working to resolve the issue.

Allan Liska, of the cybersecurity firm Recorded Future, said the outage did appear deliberate, not a glitch, and that Instructure was trying to figure out how widespread the problem was and make sure the hackers were no longer inside its system.

“There’s no indication at this point that any ransom has been paid,” Liska said. “And it likely is still a little too early for a ransom to have been paid. You know, normally these negotiations kind of drag on for a while.”

Liska said nothing big has been leaked yet, but said that is common. “Once they’ve leaked, they’ve lost their leverage.”

Connolly said the Canvas attack is strikingly similar to a breach at PowerSchool, which also offers learning management tools. In that case, a Massachusetts college student was charged.

Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group also has been tied to other attacks, including Live Nation’s Ticketmaster subsidiary.

ShinyHunters, or an offshoot, also was behind a previous smaller breach of Instructure, Liska said. He added that the group or someone pretending to be ShinyHunters issued a statement Friday indicating that it had nothing to say.

“It’s very weird,” Liska said, noting that the group is “normally a very talkative bunch.”

Students quickly took to social media, with many panicking that they could no longer view course materials housed within the platform to study for their final exams.

Teachers said they were having to find workarounds to help students study for exams and submit final assignments. And some schools announced they were pushing back finals scheduled for Friday in response to the outage.

More California News:

• Purple Waves Are Crashing On CA Beach: Here's Why
• This CA State Park Now Requiring Reservations After Social Media Surge
• Becerra Gains Support, Ties Hilton For Lead In CA Governor's Race, Latest Poll Shows
• New CA DMV Rules: Police To Start Ticketing New Traffic Law
• Alcatraz Coyote Stuns Scientists: It Actually Swam From Miles Away
• Robot Passenger Breaks It Down At Bay Area Airport, Causes Flight Delays
• People Who Leave CA Save $672 Per Month On Housing
• This CA Town Of 3,000 Has 5 Michelin Restaurants
• Home Prices Dropped In Dozens Of Big U.S. Cities, And Across CA This Year

City News Service and the Associated Press contributed to this report.