Editor's Note: Canvas Breach Highlights the Dangers of SaaS Overreliance

Last school year, my wife and I attended parent/teacher night for both of my sons – one entering 7th grade and the other 11th grade at the time. At both the high school and the middle school, every single teacher’s presentation included a version of this line:

“So, we are implementing this new system called Canvas. It’s going to be really great. Your student will be able to complete all of their assignments, communicate with teachers and counselors, and take tests in one place. You will be able to track their progress and see their grades in real time as they are entered. Please bear with me, as this system is totally new to me, but once I get the hang of it, everything will go very smoothly.”

Seemed like a fine idea…until it wasn’t.

This week, the criminal hacking group ShinyHunters is holding Canvas for ransom. While the SaaS company that makes Canvas, Instructure, scrambles to restore service to literally millions of students and teachers, very few of them can access the system.

And in case you haven’t heard, it’s final exam season, at least where I live. Students are unable to study. Teachers are unable to administer exams, let alone enter final grades.

The scope is pretty incredible: Instructure has done a tremendous job at selling the Canvas platform; in fact, according to estimates, 40% of U.S. universities use the system, and it owns roughly a 30% market share in U.S.-based K-12. That translates to about 2,400 colleges and 39,000 K-12 schools, which boils down to around 28 million students affected, give or take a couple of million. There are millions of international Canvas customers as well. That said, most reports are throwing around numbers that 9,000 schools have been affected, but also 275 million records are affected, so who knows.  

I received this heartwarming email message yesterday: “Please know that the cyber incident involved the third-party Canvas software program, not our district’s technology infrastructure. According to the vendor (Instructure), student passwords, social security numbers, and financial information were not involved. However, some limited user information – such as names, email addresses, school assignments, and internal Canvas messages – may have been involved…please be assured that your student’s most sensitive information has not been compromised.”

Thankfully, both of my students are largely unaffected, as their teachers have either already administered final exams and entered the grades, or those exams aren’t scheduled for a couple more weeks.

A scroll through X tells the story better than any statistic could: students locked out of finals and study materials, teachers unable to submit grades, parents furious. One of the most shared messages came from a college professor on Thursday night:

Students,
I understand that Canvas has been down for much of this evening. However, the final exam study guide has been posted for a week and a half. You have had ample time to download it. Your TA now has a copy so if you need it, please email them…the final exam will take place tomorrow morning at 7:30 a.m…I will not reschedule it. I will not be giving any make up final exams.

As the father of a procrastinator – and one himself, admittedly – this gives me the chills.

In fairness, there are plenty of posts that say “Canvas is back up” or “our Canvas wasn’t affected,” but there is a security lesson beyond the familiar “don’t click links in emails” and “change your password” narrative every time a major breach happens.

First, overdependence on SaaS by end-user organizations as a one-stop shop is risky. You need backups. You need alternatives in case of an outage. Trusting your most vital organizational processes to a third-party provider means you are subject to that provider’s security practices, whether effective or not. Even the most fervent supporters of cloud-based software will not go so far as to say that cloud equals “secure,” and end-users must remain cognizant of that fact.  

For security integrators and consultants, this is a concept that must also be embraced. Vigilance remains paramount. Cloud solution providers must be vetted and their security checked before they are deployed into vital operations for your customers. Backup plans should be in place – both internally and for external customers.

Vendor risk means risk for everyone, even our kids.