Canvas software back online after data breach affected Houston-area schools

Canvas, a learning management system used by thousands of schools and universities, was back online by Friday after a cyberattack disrupted students' efforts to study for finals, underscoring the education system's dependence on technology.

Local universities, including Texas A&M University and the University of Houston, confirmed that their students were affected by the Canvas cybersecurity incident on Thursday evening.

Other schools, including Texas Southern University, University of Houston - Downtown, Houston City College, and Prairie View A&M, all say they use Canvas through their websites.

The video above is from Thursday's report.

The hacking group ShinyHunters claimed responsibility for the Canvas breach, said Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. Instructure, the company behind Canvas, said in an update late Thursday that the system was available for most users.

Canvas is used to manage grades, course notes, assignments, lecture videos, and more. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Connolly said.

Screenshots Connolly provided showed that the group began threatening to leak the trove of data on Sunday. By Friday, Instructure and Canvas had been removed from a dedicated leak site created by the ransomware group on the dark web to publish stolen data.

Canvas went down on Thursday at the worst possible time. Students quickly took to social media, many panicking that they could no longer access course materials on the platform to study for their final exams.

Teachers said they were having to find workarounds to help students study for exams and submit final assignments.

Rich in digitized data, the nation's schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. Past attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District.

Instructure has not posted about the attack on its social media. Its Canvas is used to manage grades, course notes, assignments, lecture videos, and more.

Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group has also been linked to other attacks, including one targeting Live Nation's Ticketmaster subsidiary.

Universities and school districts quickly began notifying students and parents.

The University of Houston provided a statement to Eyewitness News that read in part:

"The University of Houston is aware of a global service disruption affecting the Canvas LMS platform, which is currently unavailable due to a cybersecurity incident involving its parent company, Instructure. The UH UIT team is actively investigating and monitoring this situation."

On Thursday evening, local school districts, including Houston ISD and Katy ISD, sent the following statements regarding the cybersecurity incident.

HISD sent a statement to its staff that read in part:

"This afternoon, a cybersecurity incident involving Canvas impacted school districts and other institutions nationwide. The issue is related to the Canvas platform and is outside of HISD's control. ... While Canvas works to resolve the issue, HISD is standing up a temporary Google site to provide access to curriculum materials. The site is expected to be available within the next few hours, and we will send an additional update once it is live."

Katy ISD shared a statement that read in part:

"Katy ISD has been notified by Canvas, the vendor that provides our learning management platform, of a cybersecurity incident that is actively under investigation. While the incident was not directed at Katy ISD, it has affected thousands of organizations that use Canvas services. ... Canvas has indicated that certain user information may have been exposed, including names, email addresses, student ID numbers, and messages exchanged within the platform. Please note that more sensitive personal information, such as Social Security numbers, home addresses, and passwords, is not stored within Katy ISD's Canvas environment and was not impacted.

Schools across the country, from the University of Iowa to Virginia Tech to Harvard University, have all confirmed they have been affected by the Canvas hack.

The Associated Press contributed to this report.