Your child’s school platform was just hacked. Don't panic.
Take a breath and have the conversation with your child
If your child’s school uses Canvas, you may have noticed the news this week. Instructure, the company behind Canvas, confirmed a data breach. The hacking group ShinyHunters claims to have stolen data from close to 9,000 schools worldwide.
That is a large number. Before you get too scared — let’s have a walk through the information that’s been published so far, and then what you can do about it.
What was stolen
Names, email addresses, student ID numbers, and in some cases messages between teachers and students. That is the data Instructure has confirmed. Passwords, financial information, and identity documents were not part of this breach. That distinction matters. A lot of data breach coverage treats all stolen data as equally catastrophic. It is not.
What was taken here is the kind of information that can be used for phishing — targeted, plausible-looking emails designed to get your child to click on something. That is a real risk. It is a manageable one.
I should add: Canvas is not only used by schools. I’ve used it recently for a short course. So it is quite possible my name and email address are in there too. I’m thrilled about that, obviously, and am waiting for the haveibeenpwned alert any day now.
What ShinyHunters actually wants
ShinyHunters is a prolific, financially motivated group. Their business model is to steal large quantities of data, threaten to publish it, and extract a ransom from the company involved. The target is Instructure. Not your child.
They are also known to exaggerate the scale of their claims to increase pressure on their victims. The figure of 275 million people affected may not be accurate.
This is actually an area I have researched. I was part of a research team that studied the harms ransomware causes to victims and organisations, funded by the UK’s National Cyber Security Centre. Ransomware operators will typically extort the company, as it is more profitable than going person by person. The dumping of data online for others to pick up is where the problem lies. Access to emails and names means phishing, primarily.
The conversation worth having
This is actually a good moment to talk to your child about phishing — if you can resist the urge to open with “something bad happened.”
Phishing is when someone sends a message that looks legitimate in order to get you to hand over information or click a link. It is the most common way people get caught out online, and it is surprisingly easy to do well if you already know someone’s name, email address, and what school platform they use.
What that might look like in practice: an email to your child’s school address that looks like it’s from Canvas, asking them to log in to verify their account. Or a message that looks like it’s from their teacher about a recent assignment.
The skills to build are simple. Does the sender address actually match who it claims to be from? Is the link going to the real Canvas site, or something that looks similar? Hover over links to show you the underlying addresses before you click.
When in doubt — come and ask before clicking anything.
That last one is the important one. Not because your child isn’t capable of working it out, but because a well-constructed phishing attempt is designed to bypass the part of the brain that pauses to check.
If your child’s school is affected
One thing the coverage tends to miss is what happens inside a school when this kind of incident hits. I researched this too. The organisations on the receiving end of breaches like this are often dealing with significant disruption to their systems, stressed IT teams working around the clock, and a recovery process that can stretch for weeks. The downstream effects for users of the victims products are even harder to manage.
The people carrying the weight of it are usually not the people who made the decisions that left the system vulnerable.
Your school has zero ability to get Canvas up and running by itself.
Don’t ask them why they’ve not fixed it yet.
Something to try this week
Check whether your child’s school uses Canvas (it will usually say so on the school’s website or VLE login page). If it does, let your child know what happened, in plain terms: their name and school email address may have been included in a data theft. That email address might receive some odd messages in the coming weeks. Their school systems should be good at filtering it out, but, if anything looks strange or asks them to log in or click a link, they should show it to you first.
No need to change passwords this time — they weren’t taken. No need to close accounts. Just: heads up, here is what to look for, and you can bring it to me.
That kind of advance briefing makes a real difference. Not because it prevents every mistake, but because it means they are not navigating it alone when something does arrive.
This post arrived early because the news did. Back on scheduled programming: next time we're talking passwords and passcodes. Spoiler: the advice you were given is probably wrong.