When Canvas went dark in the afternoon, a University of Maryland junior informed a friend that it was most likely just his laptop. The same thing was then said by his roommate. The group chat then came to life. Students all over the nation were staring at the same direct message on their screens within an hour—a ransom note that read more like a taunt than a demand. Before the university had said anything, the phrase “CANCEL FINALS” was circulating on Instagram. It was taken from a Barstool account.
I keep thinking about that particular detail. Barstool was the source of the children’s knowledge about it. Not from the press, not from Instructure, not from their dean. from a meme account. The way the ShinyHunters group handled this was almost theatrical, and the more you read about the breach, the more it seems like the money was less important. The noise was what they desired.
The shadows are typically preferred by ransomware crews. The typical strategy involves quiet intrusion, quiet negotiation, and quiet payout; weeks later, the victim company will release a carefully crafted statement regarding a “incident affecting a limited subset of users.” Canvas was not treated that way. Login pages were vandalized by the attackers. A list of the impacted schools was posted. Knowing that finals week would take care of the rest, they gave reporters a story that was essentially prewritten.
And it did. According to a figure released by the group, approximately 275 million students and employees in 9,000 schools suddenly had a stake in whether Instructure paid up. Extensions were being granted by Australian universities. Campuses at UC and Cal State were in a panic. The syllabus PDF was being rediscovered by professors who had spent ten years moving everything they taught onto a single cloud platform.
Eventually, the business declared that it had “reached an agreement with the unauthorised actor,” a phrase that attorneys use when they can’t bring themselves to use the word ransom. The majority of analysts believed that something less than the stated ten million dollar demand was transferred, perhaps via an insurance underwriter. Instructure claims to have obtained “digital confirmation of data destruction” through shred logs. This may seem comforting, but keep in mind that the other party is a criminal extortion ring.
It’s difficult to ignore how performative the entire event seemed. It wasn’t really necessary for ShinyHunters to vandalize the University of Texas San Antonio login page in order to establish their presence. They did it because vandalized pages garner attention, and attention encourages cooperation from the next victim. The extortion was added as a sort of business model to the Canvas hack, which was an advertisement.
A longer discussion about the things that schools have covertly outsourced is hidden here. Lecture slides, grade books, recorded discussions, private messages between students and professors, going back years. Everything is stored in a single vendor’s cloud, accessible via a single set of login pages, and protected by whatever the vendor determined to be a fair security budget for that particular quarter. Because it was less expensive and simpler, higher education continued to stack dependencies, and hardly anyone inquired about the failure mode. They are aware now.
Governments are always telling people not to pay. Businesses continue to pay. According to Australian surveys, 81% of breached businesses are willing to deal. This indicates that the official and practical positions are hardly compatible. That math is unlikely to change as a result of the Canvas episode.
It may alter how attention is calculated. ShinyHunters demonstrated that you don’t need to threaten infrastructure or steal state secrets in order to control a news cycle if you hit something deeply ingrained in daily life. All you have to do is schedule it for finals week. To be honest, that precedent seems like the thing to be concerned about.