The cleanup continues after a nationwide cybersecurity breach involving the third-party online learning platform, Canvas.
Regis Billings is the Associate Director of the Tennessee Tech’s Cybersecurity Education Research and Outreach Center. Billings said the true extent of the breach is currently unknown. A hacking group responsible allegedly accessed the back end of Canva’s website and acquired sensitive data from students and faculty.
“This is a lot more like a game of poker at this point,” Billings said. “The bad guys are saying that they have a really good hand. And so now all of a sudden the victims are kind of calling on it and saying, ‘Okay, well show us your hand.’ And the bad guys don’t necessarily want to at this point.”
Billings said the hackers have attacked Canvas twice. Originally, they were extorting online platform and now they’re going after individual school systems themselves, according to Billings.
“As far as the actual dangers associated with students and faculty, it’s really hard to predict because it’s difficult to determine what all was up on Canvas,” Billings said. “Canvas hasn’t came out and publicly stated what all they had. And then on the other side of it, we don’t know necessarily what the bad guys actually gained access to.”
Billings said the same group reportedly hacked the global video game company, Rockstar Games, in an attempt to extort money in exchange of sensitive information. Billings said the attempt failed after Rockstar ulimately called their bluff.
“It’s difficult to tell with this group exactly what the total exposure may be,” Billings said. “We don’t believe that Canvas had access to like social security numbers and things like that. But we do know that Canvas has access to student numbers, email addresses, grades, very specific potentially intellectual property associated with schools, and a lot of potentially like PII, potentially some addresses and things like that.”
Now, Billings said the group has caused delays to final exams at the university, and could potentially lead to private health and other academic information being exposed if the leaks go public.
“This was a social engineering attack that precipitated this, bad guys potentially got in, and then hacked the back-end data associated with that,” Billings said. “So now what is that exposure, not necessarily vulnerability, but it does appear at this time that the exposure was very significant and very broad for all the information put up on Canvas.”
Moving forward, Billings said universities need to be careful which third-party vendors they trust with their student’s data. Billings said the leaks could raise serious concerns about the validity of final grades.
“If a school put everything up there as far as grades, content and everything else, and now bad guy had access to it, the students can come back and potentially say my grades were manipulated,” Billings said. “And so it has not just the psychological effect, but this real effect potentially on the students at the end of the day.”
ShinyHunters first rose to prominence after reportedly hacking into Salesforce last year, among several other high-profile companies.
“Cybersecurity is a big deal and I feel like a lot of companies don’t take it serious until something like this happens,” Billings said. “I appreciate that people are kind of standing up and really paying attention to this hack and taking it serious so that we can prevent hacks like this in the future and understand what we’re trusting third parties with.”
On Tuesday morning, the Canvas hackers released a statement that said in part, “The matter has been resolved. The Company and it’s customers will not further be targeted or contacted for payment. The data is nonexistant.”