Skip to main content

Canvas User Data Security Issue

Canvas User Data Security Issue

Two separate cybersecurity incidents impacted Ivy Tech’s learning management system IvyLearn (Canvas). 

IvyLearn is operational and secure. The incident is being investigated by Instructure, the parent company of Canvas.  

More information will be communicated by Instructure and Ivy Tech as it becomes available. Please refer to the below Frequently Asked Questions for additional information, or refer to Instructure’s Incident webpage. 

Frequently Asked Questions

  • Instructure, the company that provides Canvas, recently experienced a cybersecurity incident involving a criminal threat actor. The company notified multiple institutions worldwide, including Ivy Tech. 

    There were two separate incidents. On April 29, Instructure, Canvas’ parent company, detected unauthorized activity that gave an external source access to data. The company revoked that access and began an investigation. 

    On May 7, the same external source accessed Instructure’s website and posted a ransom note that some users could see. The attack was detected and stopped within minutes, but as a precaution IvyLearn (Canvas) was placed in maintenance mode while Instructure confirmed the scope of the incident and verified that access had been removed. No additional data was accessed during this second incident. 

  • This was not a breach of Ivy Tech’s internal systems or networks. However, Instructure confirmed that Ivy Tech is among those affected. After the initial incident, Ivy Tech began working with Instructure to determine what information was accessed and to take additional security measures, including updating passwords on administrative accounts, reconfiguring data integrations, and reviewing administrative access. Notification was made to students and faculty. 

    On May 7, faculty, staff, and students lost access to IvyLearn while it was in maintenance mode due to the second breach.  

    On May 8, Canvas was restored, but out of an abundance of caution, Ivy Tech OIT and Educational Technology staff temporarily restricted access as a security precaution while we assessed risk and confirmed the safeguards put in place by Instructure. Access was restored by 10 a.m. Deadlines were extended to ensure students and faculty could meet end-of-course requirements. 

  • At this time, exactly what information was accessed is not known and varies among institutions. Instructure’s investigation of the incidents is continuing, including determining exactly what data was accessed. That information should be known in the coming weeks, and then notifications will be made to users whose information was accessed. 

    The data accessed included:  

    • Canvas user names 

    • Email addresses  

    • Course names 

    • Canvas messages 

    It did not include:  

    • Passwords  

    • Personal information (such as date of birth, Social Security Number or financial information) 

    • Course content or submissions 

    • Grades  

    • Disciplinary information. 

  • Ivy Tech took immediate action to:  

    • Update passwords on all service accounts with root-level access  

    • Reconfigure all data integrations 

    • Review administrative-level access  

    In addition, Ivy Tech required that all administrative users regenerate their digital credentials to ensure secure access.  

    Instructure immediately revoked access of any impacted accounts and then worked to identify the vulnerabilities in their system that allowed that access and addressed them. In addition, the company has taken pre-emptive, proactive steps, including cycling employee sessions, internal access tokens, and developer keys; simplifying security architecture; adding broad protections; and additional controls and processes internally to reduce the impact of an attack if were to happen again. 

     In addition, Instructure reached a formal agreement with the unauthorized actor to return all accessed data, destroy all copies, and make no contact with users. They have also engaged CrowdStrike, a leading cybersecurity firm, for forensic analysis and 24/7 monitoring. You can read more about Instructure’s response on Instructure’s Incident webpage. 

  • You do not need to reset your password. If you have technical issues or cybersecurity concerns, please contact the Service Desk. 

  • We continue to actively monitor the situation and will communicate any new developments as they arise.  

    Instructure will continue to provide updates on the investigation. That includes informing affected users of exactly what information was accessed and who was affected, which they expect to have in the coming months. For the latest from Instructure directly, refer to Instructure’s Incident webpage. 

  • If you have technical issues or cybersecurity concerns, please contact the Service Desk. 

  • On May 21, Instructure provided an update about its third-party investigation and data analysis. Instructure is confident that data related to Ivy Tech’s Canvas accounts was not involved in the data breach.

  • On May 21, impacted organizations were provided a file containing an initial assessment of the data fields that may have been involved in the breach. Ivy Tech did not receive a file. Instructure communicated to customers: “If you did not receive a delivery of files regarding the incident in Canvas on May 21, you can feel confident that as of now, we have determined that your data was not involved in this incident. We will confirm that determination once our third-party data review is complete.

Instructure Incident Page