EMILY FENG, HOST:
Millions of students in universities in K-12 districts had their data compromised this week as a hack took down Canvas. That's a classroom management tool used all over the country. The attack raised more than a few questions about student data privacy and schools' reliance on private software to run classes. NPR's Sequoia Carrillo has been following the story and joins us now. Hi, Sequoia.
SEQUOIA CARRILLO, BYLINE: Hi, Emily.
FENG: So what happened this week with Canvas?
CARRILLO: So on Thursday, Canvas went offline. If you have a student or teacher in your life, you might know the name. But if not, it's an education software with more than 30 million users. Lots of K-12 districts use it along with half of all higher education institutions in North America. It helps educators manage assignments, post course materials and conduct exams. And the timing of the hack really couldn't be worse. My colleague Rachel Treisman spoke to Damon Linker, a lecturer at the University of Pennsylvania, who described it.
DAMON LINKER: Somewhere in the country when the outage happened, there probably were people actually taking final exams on the platform when it crashed.
CARRILLO: Instead, students and teachers saw a black screen saying a ransomware group called ShinyHunters had hacked the platform, not once but twice during the week, and then demanded money in exchange for students' data. And in Canvas' case, that doesn't just mean names, addresses and student ID numbers are at risk, but also possibly grades and coursework. And the program is a centralized hub of data for many schools.
FENG: Grades? Coursework? Why target students? Why are hackers interested in this data?
CARRILLO: So it might sound counterproductive when you first think about it, right? Kids don't have the means to pay a ransom for their data, typically.
FENG: Right.
CARRILLO: But they also don't typically monitor their own credit or have alerts set up to flag unwanted loan or credit card applications. So bad actors can get away with using a student's identity sometimes for years before anyone catches on. And this is just the latest in a recent string of attacks targeting young people. Definitely the largest in one spot so far. But dozens of school districts have reported hacks in the last few years.
FENG: OK, what does this hack mean for Canvas? And what does it mean for other edtech companies in general?
CARRILLO: So I was recently talking to T. Philip Nichols. He's an associate professor at Baylor University who's really been ringing alarm bells around public schools' increasing reliance on private companies for a while. We were actually talking about a different story last week when he said, just imagine if one day, Google or Canvas decided to turn their products off. A lot of schools would not be able to function, and that really shows just how fragile we've built these systems to be. I called him back in the wake of this hack.
T PHILIP NICHOLS: This incident should give us pause, not because it's an aberration, but because it isn't. We'd be much better off if schools were as vigilant about protecting student data when there isn't a ransom note attached.
FENG: Very prescient. So what are the next steps here?
CARRILLO: So Canvas is back online. Its parent company, Instructure, has been very quiet about the hack, only offering an update once its systems were back up on Friday. And for immediate concerns, like whether students will get their grades on time or if exams can take place, things seem to have gone back to normal. Canvas says it is still conducting an investigation to see the extent of this attack. I chatted with Matt Radolec, a cybersecurity expert who's worked in negotiations with ShinyHunters before. And he said, even if the system is back online, that doesn't necessarily mean the data breach is over. He says once a group like that is in, it's very hard to make sure they're out. But for now, at least for final exam season, things seem to be running again.
FENG: That's Sequoia Carrillo with the latest on the Canvas hack. Thank you, Sequoia.
CARRILLO: Thank you. Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
