Instructure data breach: Hofstra University, Long Island school districts impacted
Hofstra University was one of several colleges across the country impacted by a recent cyberattack. Credit: Newsday/Drew Singh
At least one Long Island college and four K-12 districts have been impacted by a cyberattack targeting an education platform used by academic institutions nationwide, according to school officials.
Canvas, an online learning and management system used by 8,000 customers, was the victim of a series of breaches carried out by an “unauthorized user,” who obtained the “names, email addresses, student ID numbers, and messages” of users on April 29, according to the platform’s parent company, Instructure.
In a statement released online, the company said, "We have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved."
On Thursday, the system was down after pages on the site were defaced. This comes as many students are in the middle of final exams and other deadlines.
The Canvas system was running again Friday while the Beta and Test environments remained under maintenance, according to Instructure.
Hofstra University was one of several colleges across the nation that were impacted. The Hempstead university’s information technology services sent students a notice Thursday alerting students that Canvas was not operational and to be wary of any “unsolicited communications from anyone, including people who may appear to be from Hofstra.” The university did not respond to requests for comment.
Representatives for Stony Brook University and Adelphi University said they were not impacted by the breach.
New York Institute of Technology and Molloy University did not respond to inquiries from Newsday.
School impact
Four K-12 districts on Long Island were impacted as of Friday afternoon, according to Sandeep Dhillon, who runs a managed security operations center at Nassau BOCES, where he is director of district technology services. He did not specify which districts were affected.
Dhillon advised anyone concerned that their data may have been compromised to use single sign-on authentication — one application used to access multiple services.
"The reason for that is, again, visibility and greater control. Then if something horrible happened like this, you can simply just turn that plug-in or tie off, and then people can't authenticate," he said.
Dhillon also recommended being extra vigilant for phishing attacks, which are expected to surge after the breach, and to turn up spam protection.
Timothy T. Eagen, president of the Suffolk County School Superintendents Association, said most schools in Suffolk use Google Classroom as their online learning platform.
Nonetheless, Eagan, who is also superintendent of the Kings Park district, said his district has taken proactive measures, including restricting access to Canvas’ affected sites on its network.
“From a cybersecurity standpoint, we've taken a 'shields up' approach...Our network engineer made changes that blocked the sites on our firewall, in our filter, and by DNS, as well,” Eagen said via email.
Ransom sought
ShinyHunters, a criminal hacker and global extortion group, has taken credit for the attack, according to TJ Sayers, senior director of threat intelligence at the Center for Internet Security in upstate New York. He said the group is potentially going after Instructure as well as individual schools, with a deadline of May 12.
"They're giving the parent company an additional five days or so to to pay over a ransom or have information leaked. It's kind of mirroring somewhat of a double extortion campaign," Sayers said in a phone interview.
ShinyHunters is a known criminal network that's struck before, most recently hitting the home security company ADT in April, Sayers said.
Instructure said it has taken steps to thwart against further threats.
The company posted online that it had "revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms. We engaged a third-party forensic firm and notified law enforcement."
Check back for updates on this developing story.
Lorena Mongelli has been reporting for Newsday since 2021. Prior to that, she covered breaking news at the New York Post.
