By Tracie Sullivan, For Iron County Today
Iron County School District notified parents this week that Canvas, an online learning platform used by many secondary schools, was impacted by a nationwide cybersecurity incident tied to the hacker group ShinyHunters.
In an email sent to parents, the district said it “recently learned that Canvas, a platform used by many of our secondary schools, experienced a cybersecurity incident.”
The district said Instructure, the Utah-based parent company of Canvas, reported that “a small portion of its Canvas platform, Free-For-Teacher, was leveraged by an unauthorized actor.”
That portion of the learning management system was temporarily shut down while the company investigated the breach and implemented additional safeguards.
District officials stressed that Iron County School District’s own systems were not directly compromised.
“Canvas is not hosted on our servers, which means Iron County School District was not directly attacked,” the email noted.
While the full scope of the breach remains under investigation, Instructure told districts it has “found no evidence that the unauthorized actor established persistence, obtained credentials for accounts within (our district), or exfiltrated any additional data.”
The district also noted that sensitive information such as Social Security numbers, passwords, financial information and dates of birth are not provided to Canvas.
Even so, parents, students and educators are being urged to watch for suspicious emails and possible phishing attempts.
“Students, families and educators should still be attentive to any unexpected emails or messages which could be potential phishing attempts,” the district warned.
Canvas is widely used by K-12 schools, colleges and universities for assignments, grades, messaging and classroom communication.
National reports indicate the incident affected schools and universities across the country during final exam season. Reuters and other outlets reported the cyberattack was claimed by the hacker group ShinyHunters, which has been linked to multiple large-scale data breaches in recent years.
Shauna Lund, communications director and foundation coordinator for Iron County School District, said the district does not store sensitive personal information through Canvas.
“It’s mainly grades and classroom-related information,” Lund said.
The investigation remains ongoing. Instructure said it has notified law enforcement agencies, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency and international law enforcement partners.
For more information, visit Instructure’s website at https://www.instructure.com/incident_update.