Penn, Rutgers, Penn State, and other universities nationwide lost access to Canvas platform in data breach

Local colleges were scrambling Friday to cope with a nationwide outage of a learning management system used by students and faculty, just as many schools were amid final exams and projects.

The outage of the system called Canvas, which began Thursday night, was due to a data breach and has impacted many colleges including the University of Pennsylvania, Rowan, Rutgers, Pennsylvania State University, and Princeton. Philadelphia-area K-12 schools that use the software were also affected.

The company that operates Canvas reported its services were back online Friday morning, but some schools hadn’t yet given the all clear and by mid-morning were still coping with outages and concerns about security.

Penn State canceled all tests that were to be given in its Pollock Testing Center Thursday night and Friday. The school said Thursday night that a resolution was not expected within the next 24 hours.

“We have notified ...faculty and are working with them to determine next steps for final grading,” the university said.

But as of 1:30 p.m. Friday, the school said the system had been restored though “some integrations and connected services may continue to experience limited functionality during the initial restoration period.”

Canvas is used for coursework and communications between students and faculty, among other functions. Instructure, the company that oversees Canvas, said the breach involved information containing “names, email addresses, and student ID numbers, as well as messages among users.”

Princeton University notified the campus Thursday night to watch for potential “phishing messages referencing Canvas, your courses, or account recovery.”

“Princeton will not direct you to unverified third-party sites for Canvas-related communications, and will not request passwords, Social Security numbers, or account information by email, text, or phone,” the university wrote.

Rowan University had told faculty Thursday night to make alternate arrangements with their students to administer exams and collect homework and projects, but said Friday morning that the system had come back.

“We waited until this morning to notify the university to make sure it had,” spokesperson Joe Cardona said.

Kathryn Quigley, chair of the journalism department at Rowan, said she had just finished her final grades in Canvas and planned to upload them into a separate Rowan program after dinner. But when she tried to reopen Canvas, it was offline.

“I’ve been a college professor for 23 years, and I used to use a paper gradebook, and then I would use Excel on my computer, but I just in the last couple years started doing everything on Canvas with no backup,” she said. “That is a mistake I’m not going to make again.”

She was able to get back into Canvas late Thursday night and took a screenshot of the grades for her class.

One of her colleagues, she said, still does her quizzes and tests on paper, she said.

“We would always tease her about it, but not today,” she said.

Temple University, which already finished its semester, said Friday that its Canvas system was back online and that the school had completed “several additional precautionary review and validation steps.”

“These included securing exports of critical academic data, reviewing Temple-specific Canvas configurations, and preserving relevant system logs to support any future review or investigative needs,” the school said.

While Canvas has been restored at some schools, Rutgers said it has decided to take security precautions before making the system operational again for the university’s users.

“We are currently assessing the safety and stability of the Rutgers Canvas system and will officially restore access once the Office of Information Technology ensures the platform is ready for normal operation,” the school said.

The Daily Pennsylvanian, the university’s student newspaper, reported Thursday that the breach was affecting Penn.

A message was posted on Penn’s Canvas page by the hackers warning universities that data would be released if they weren’t contacted before May 12, the DP said.

Inside Higher Ed reported earlier this week that the criminal extortion group ShinyHunters claimed to have attacked Instructure, and the breach affected nearly 9,000 schools worldwide.

The Daily Pennsylvanian said the same cyber group targeted Penn last fall.

As of Friday morning, Canvas was back in operation at Penn.

The Central Bucks School District told community members Friday morning that they could access Canvas again, after the platform went down Thursday night.

Some staff and students might have to log back into their emails, “due to additional security measures taken by our technology team,” interim Superintendent Charles Malone and Jason Jaffe, director of technology and innovation, said in the Friday message.

Central Bucks also temporarily disabled its connection to Infinite Campus, a student information system, delaying information syncing “between the two systems while we confirm full system stability,” Malone and Jaffe said.

“Our team will continue to monitor the situation closely and will restore normal integrations once we have full confidence in system integrity,” they said.

In South Jersey, Deptford school spokesperson Salvatore Randazzo said the school system learned about the outage late Thursday night from a teacher.

None of the district’s data was involved in the breach, he said.

Many Deptford students were undergoing state standardized testing this week and likely would have had few assignments to complete using Canvas, he said. There were no complaints received from parents or students, he said.

“It doesn’t seem like we had much impact from this, fortunately,” he said.