They make you do it – they, in this case, being the folly-fouled leaders of educational institutions – because it’s all in the name of organisational efficiency, productivity and purpose. Engage what is often erroneously called a Learning Management System (LMS), submitting personal details and papers and assessments into its maw. Instructors and academics are also made to generate intellectual profiles for subjects and courses, leaving students the false impression that what is not on the platform cannot surely exist. Should you be a conscientious objector to this hungry, data gobbling system, you are ostracised, condemned as a pencil lovingLuddite.
On April 30, Instructure, the Salt Lake City-based education technology company behind Canvas, a widely used LMS, temporarily went offline. On May 1, the company confirmed that it had experienced a “cybersecurity incident perpetrated by a criminal threat actor.” The problems had been largely sorted by May 2, with Instructure promising continued monitoring and an investigation into how the attack took place. Its security system had been patched, certain credentials and access tokens revoked and reissued, and API(application programming interface) keys rotated “out of an abundance of caution.” Normal operations resumed the next day.
On May 3, the specialist extortion group ShinyHunters, which publicly emerged in January 2020, added Instructure to its Tor-based site, boasting the theft of 3.65 terabytes of data by exploiting the “Free-For-Teacher” vulnerability in the Canvas platform. Information belonging to 275 million students, teachers and other individuals to some 8,809 education institutions across the globe had featured. Instructure, while admitting the hack had secured access to personal information (names, email addresses, student ID numbers and user messages), claimed to find “no evidence that passwords, dates of birth government identifiers, or financial information were involved”.
ShinyHunters sought negotiations with Instructure,threatening to leak its pilfered trove of data by May 6. A new deadline was issued for May 8. Instructure, at least publicly, was not having a bar of it, using its status page to declare the incident closed. On May 7, in extending its deadline, the group began threatening specific institutions for extortion and injected a defacement message across 330 institutional Canvas login pages. “ShinyHunters has breached Instructure (again),” crowed the note. “Instead of contacting us to resolve it they ignored us and did some ‘security patches’.”
The defacement prevented the effective use of Canvas accounts by staff and students, or any materials posted on the platform. Canvas assumed an offline maintenance status and suspended its Free-for-Teacher service. Stirrings of panic were registered through various student bodies regarding the loss of work, a disruption in exam preparation and block to the submission of research papers. A number of universities – Idaho State University and Penn State University, for instance – cancelled and postponed scheduled exams.
Instructure was then removed from ShinyHunters’ data leak portal, something the group tends to do when the target company initiates contact. The strategy for targeting individual institutions, however, was thrivingly alive, with a threat that the pinched data set would be released in the event negotiations with the group were not commenced.
The Halcyon Ransomware Research Center helpfully outlines the implications of the theft. Targeted phishing campaigns can be executed against staff, students and parents in the wake of exfiltration. “Leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks.” Some mighty fine advice is also given. “Students, parents, and personnel at affected institutions should be considered, and institutions should issue phishing advisories and direct communications immediately.” Halcyonfurther recommends the deployment of “a dedicated anti-ransomware solution that detects and prevents ransomware runtime behaviour and data exfiltration attempts … and prevents tampering and network intrusion that enable propagation”.
Such detail and responsibility proved too much for many institutions to master. As the devil was to be found in the detail, detail would be spared. The best Adelaide University could do in a statement on May 11 was announce that access to Canvas had been restored, extensions to assessments granted, and encouragement to “all users to please remain alert to phishing or suspicious communications.” Students at the institution, already disgruntled by the tangles produced by the merger between the University of Adelaide and the University of South Australia, were less than impressed. Ethan Brown, a second-year mechanical engineering student, told the Australian Broadcasting Corporation (ABC) that the university had been meagre in its communications with students. “It did take me a little while to actually find out [what happened] because I didn’t find out directly from the uni. I just heard about it from a friend and from articles online.”
Shannon Schmidt, reading for a double degree in international relations and arts, spoke of the disruption as messing “with a lot of things to do with my course material and submissions” while wondering why so many universities preferred one third-party provider. “I reckon all unis that have been affected should tighten security, if this wasn’t a wakeup call, then I don’t know what will be.”
The modern institution of learning has been long blighted by management philosophies that treasure budgets over intellectual prowess, false efficiency over the acquiring of knowledge. Dotty agreements are made with consultants who feed fetid dross to rapacious managers keen on restraining expenditure in favour of criminally inflated salaries. The response to the hacking of Canvas shows laziness, indifference and an almost tortious neglect about the welfare and privacy of students and staff.
Remarkably, these institutions refuse to consider alternative systems in the event of cyber failure, be it an indigenous platform unique to them and separate from cloud-based models, or some backup mechanism to circumvent disruptions. Then there is the heretical prospect of analogue options: the oral examination, the answer briskly penned on paper in a classroom. A sociology student interviewed by the University of Melbourne Student publication Farragosummed up matters with some crispness: “I think it works wonderfully well with the whole ‘going analogue’ vibe we’ve been cultivating as a culture this year,” she stated, sporting aDisc-man. “This should be a wake-up call to the university to invest in physical media. Get with the times!”
Unfortunately, little can be expected by way of redress. The managerial university remains a constipated entity hostile to the safety and welfare of those toilers who learn and work within it. “Platform concentration risk”, as the computer boffins like to term it, promises more mayhem, disguised as a digital nirvana.
Dr. Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He currently lectures at RMIT University. Email: bkampmark@gmail.com
