University students in New Zealand are unable to submit assignments or access class materials after an online tool became the target of a data breach.
Technology company Instructure confirmed its learning management tool Canvas was down after a “criminal threat actor” gained unauthorised access.
The breach, which has affected students across the globe, is believed to have exposed some users’ data, including names, email addresses, student ID numbers and messages.
Students rely on Canvas to view grades and rubrics, submit assessments and contact staff.
While some students were concerned for their privacy, others seem unfazed.
Victoria University said it planned for Canvas to be down at least until the middle of next week and reassured students the impact of the outage on assessments would be taken into account.
Other education providers have allegedly not openly addressed the hack, leaving students “frustrated” and worried they may not receive extensions for assessments.
Students who opened Canvas this morning were greeted by a message from ShinyHunters, the hackers who infiltrated the website.
“ShinyHunters has breached Instructure (again),” the message read.
“Instead of contacting us to resolve it, they ignored us and did some ‘security patches’.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement.”
The hackers said Instructure had until the end of May 12 to contact them before “everything is leaked”.
On Wednesday, Instructure said it did not believe birthdates, passwords, government identifiers, or financial information were affected.
The University of Auckland, Victoria University of Wellington and the Auckland University of Technology use Canvas.
By 9.15am, the hackers’ message was removed from Canvas.
It was replaced by a message that read, “Canvas is currently undergoing scheduled maintenance. Check back soon.”
A9.35am email from University of Auckland chief digital officer Jason Mangan to students confirmed “Canvas is currently offline”.
“We are working urgently on workarounds to minimise the impact on teaching and learning today and will provide more information as it becomes available.
“Please note that this is not a breach of the university’s systems, and no other systems are at risk.”
Mangan said the university would provide updates throughout the day on its website.
“My primary concern is not access to course materials, but the possible exposure of students’ personal information,” a University of Auckland engineering student told the Herald.
The student was worried the breach would leak enrolments, grades, assignment submissions and course activity data, as well as names, email addresses and student ID numbers.
Bachelor of Commerce student Matt told the Herald he was not overly concerned by the breach.
He believed data such as names, email addresses and student ID numbers was “pretty easy” to find online.
“What data do they have on me?” the 20-year-old questioned.
“I do a BCom, what are they going to do? Release my 13/15 test [score]?”
The student said all his university modules were on Canvas.
Matt had some resources saved on to his computer but he had not downloaded enough.
Without the platform, he would be unable to study or submit assignments.
He predicted universities would delay assignment deadlines.
“Unless you make religious notes ... it’s all there [on Canvas],” he said.
The Herald spoke to a student from Manukau Institute of Technology who said the tertiary institution had not openly addressed the incident with its students, despite them being affected.
“I am concerned that we won’t receive any extensions.
“We can’t access any of our upcoming assessment details, so unless we saved them pre-outage, we don’t know what we are meant to do.”
The second-year health student said it was “frustrating” to not receive direct communication from the polytechnic, or its IT department, about Canvas being down.
They found out about the hack from another student and said if that had not happened, they would have found out through media coverage.
Manukau Institute of Technology said it emailed students about the breach this morning.
Victoria University of Wellington vice-chancellor Nic Smith said the university’s learning management system, Nuku, is offline after the cyber attack.
The university planned to have Canvas back online by 8am Wednesday, May 13 at the earliest.
“Our priority is protecting the security of student and staff information, and we have taken proactive steps, including temporarily taking the system offline while we work with external experts to assess and manage the situation,” Smith said.
He confirmed in-person teaching and wider university operations would continue as normal.
“Students and staff have been updated, and appropriate arrangements will be made where this disruption affects critical assessments or learning activities.”
If necessary, course coordinators would communicate any specific information directly in class or by email, the university told students.