Bladen County Schools Superintendent Dr. Jason Atkinson said last week “there is no indication that account passwords were compromised, and no district-wide password reset is being required at this time” following the announced security breach of the statewide learning management system used by North Carolina public schools.
In a letter to families and staff May 11, Atkinson said “we encourage all users to continue practicing strong account security habits and monitoring their accounts regularly.”
Canvas, the parent company of Instructure, announced that it had made a deal with the ShinyHunters hacking group that claimed responsibility for the breach, United Press International reported. The stolen data was returned and the hackers destroyed any duplicate data, Instructure said.
Canvas was struck by a ransomware attack May 7 that shut down the system nationwide that is used by more than 8,000 schools and universities and has more than 30 million users worldwide.
The hackers said they accessed the data of more than 275 million users at nearly 9,000 schools, including private e-mails between students and teachers, along with personally identifying information, UPI reported.
N.C. Department of Public Instruction shut down the Canvas system statewide when the cybersecurity hack was reported. The unauthorized access involved data tables containing student and staff names and school-assigned email addresses, NCDPI said, but “at this time, there is no indication that passwords, dates of birth, Social Security numbers, financial information, or other sensitive personal data were compromised.”
CrowdStrike, the third-party cybersecurity firm advising NCDPI, reported over the weekend of May 9-10 that Instructure throughout North Carolina and the nation had no ongoing signs of compromise.
NCDPI restored statewide connectivity with Canvas for staff and students on May 11 at 4 p.m.
“Bladen County Schools takes the security and privacy of student and staff information very seriously,” Atkinson said in his letter. “We are continuing to work closely with NCDPI and monitoring updates related to this incident to ensure appropriate safeguards remain in place.
According to Instructure, the company detected unauthorized activity April 29 and the unauthorized party’s access was revoked. Before the access was revoked, Instructure said the hackers took data from the Canvas platform.
On May 7, Instructure said the same hackers gained additional access through a second Canvas vulnerability. The hackers made changes to the pages that appeared when some students and teachers were logged in through Canvas. Due to monitoring implemented after the first attack, Instructure said it detected and disabled the second attack approximately 10 minutes after it began. No additional data was accessed.
Canvas was fully back online May 9. Instructure confirmed the hackers carried out their activity in both instances using one of the Free-For-Teacher accounts.
“I recognize that this disruption came at an especially busy and important time of year, as many students are wrapping up coursework, preparing for exams, completing final projects and getting ready for graduation and end-of-year milestones,” state Superintendent Maurice Green said. “That timing made this situation even more challenging for students, families and educators alike.”
Bladen County Schools encouraged students, staff, and families to remain alert and use caution with any suspicious emails, messages, or links that may appear to reference the breach. Because names and school email addresses may have been involved, individuals should be cautious of potential phishing attempts or unsolicited communications. If an email or message appears suspicious or unusual, do not click links, open attachments, or provide personal information, the school system said.