Cabrillo College, UCSC among schools affected by nationwide cyberattack

Cabrillo College and UC Santa Cruz were among the thousands of schools nationwide that were affected last week when a cyberattack forced them to briefly shut down their learning management system, Canvas, Thursday and Friday. 

A hacking group infiltrated the platform’s parent company, Utah-based Instructure, and accessed a subset of data such as email addresses, course names and messages. Schools use the platform for assignments, communication and conducting quizzes. The attack and shutdown happened as many students were preparing for finals. 

Cabrillo College President Jenn Capps said in a message to the campus Friday afternoon that after restricting access Thursday, Canvas was restored and safe to use again at the community college.

“Following a global cybersecurity incident involving Instructure, the provider of Canvas, both the Chancellor’s Office and Instructure have confirmed there is no ongoing technical risk to our campus platforms or student information systems,” she wrote. “We understand that a disruption right before finals is incredibly stressful.”

UC Santa Cruz spokesperson Scott Hernandez-Jason referred all questions about the impacts to the local campus to the University of California Office of the President. In a statement later posted to the UCSC website, officials told the school community to consider the breach “a fluid situation.” 

“While we are back online now, access may be temporarily suspended again over the next several days if additional security measures are required,” they wrote in a Saturday message. “This is part of the ongoing, nationwide work to ensure the platform is fully secure.” 

Instructure says it first noticed unauthorized activity in Canvas on April 29 leading it to revoke the user’s access. The company began an investigation and consulted outside forensic experts. Instructure then noticed more unauthorized activity linked to the same issue last Thursday and shut down Canvas. 

In her message to the Cabrillo campus, Capps assured the community that the college didn’t detect any breaches of its internal systems. She said the potentially affected items include names, student ID numbers and email addresses, and Canvas internal messages.

However, she added that student passwords, Social Security numbers, dates of birth, government IDs or financial information weren’t involved in the breach. 

“We have assurances that Instructure scanned for file changes and confirmed there were no changes to user data (such as grades or assignment information),” she wrote. 

Capps encouraged Canvas users to remain suspicious of phishing attempts in suspicious emails or texts from anyone claiming to be Canvas or Cabrillo officials and requesting credentials.