Canvas breach: Australian schools the likely target of sophisticated phishing scams

In what is the largest education data breach in history, on May 2 notorious hacking group ShinyHunters stole personal data from the cloud-based Canvas learning management system, leaving hundreds of thousands of school and university students unable to access work or submit assessments, with some receiving ransom messages following the global hack when they tried to access the platform.

“ShinyHunters has breached Instructure [again],” the message from ShinyHunters read.

“Instead of contacting us to resolve it, they ignored us and did some 'security patches'.”

The statement urged schools who were in a linked ‘affected list’ to contact ShinyHunters and “negotiate a settlement” or else their data would be leaked.

Developed by United States company Instructure, close to 9,000 institutions worldwide use Canvas.

It’s reported that more than 275 million student and teacher records were reportedly stolen globally, including data connected to NSW, Queensland and WA education departments, along with Tasmanian schools.

The compromised information includes names, email addresses, student ID numbers and even private messages between teachers and students.

Stacey Edmonds, co-founder of cyber safety company Lively and a former teacher, spends her days researching how cybercriminals operate and says incredibly convincing phishing scams are now likely to target schools.

Despite assurance from Instructure that ShinyHunters have provided proof to show the stolen data has been shredded, Edmonds is not convinced the risk has been removed.

“People go, ‘oh it's okay, Instructure have paid the ransom’ – I think it was millions – for 272 million individual people's data.

“But the thing is, a group of decentralized criminals had that data for about three weeks.

“I know how the dark web works. And you just need one of them to go, ‘actually, this data is worth a small fortune, even if I only use 10 per cent of it’…”

Edmonds says she has personally downloaded the hackers’ file containing compromised data from 9,000 schools.

“That's just available,” she says.

“And Instructure put out a statement saying, ‘no one is going to be extorted because of this’. Are you joking? That's like Medicare saying no one's going to be extorted, or Optus, or (in the case of) every other breach.”

The expert uses real examples in her cyber safety game to upskill students in how to identify and think critically about online scams. 

Given that attackers now reportedly hold real student and teacher names and their communication histories, this valuable information can be used to create compelling and sophisticated scams that go after children and educators, Edmonds says.

And it will only take cybercriminals a matter of minutes to do so, she flags.

“Let's pretend I'm a scammer criminal. So, what's the process? How does the business model work?

“Number one, you want to get as much information as you possibly can. The more information you've got, the more personalised you can make the scam.

“Now, in this hack, the data that was included was personal conversations between students and their lecturers.

“Well, that's gold – because now you've got what people have studied and the conversations they're having.”

Before GenAI was in the picture, creating customised scams using stolen data would take a relatively long time, but now it’s literally done on the spot, Edmonds explains.

“I downloaded the [file from] 9,000 schools, popped them into GenAI, and then asked it to research every single school and give me the administrative lead, the head, the teachers of the school, the associations, and give it back to me in a spreadsheet.

“It took three-and-a-half minutes.”

Students and staff should watch out for convincing emails, texts or direct messages that reference real personal details, Edmonds warns.

She says a scam message could read along the lines of:

“Hi [student name], this is [teacher name]. Click here to resubmit your assignment - the system lost it during the outage.”

Schools need to be explicit in their communications with their communities about the situation, Edmonds advises.

“This is a teaching moment,” she says.

“[Schools should say], ‘this has happened’ – in plain language without jargon – ‘we have to assume this data is in the ether. The platform was hacked, personal information was stolen. It's not anyone's fault, it just is.’”

Edmonds works with students from Year 3 to Year 12 teaching them how to identify and respond to scams before they are directly targeted.

“Scammers are creative, if nothing else. The scammers we find online, you look and think, ‘oh, that's good’ – you've got to admire the creativity,” Edmonds says wryly.

If you do receive an unexpected message that asks for some kind of response, the expert has some words of advice.

“Don't click on any unexpected links. Don't share any passwords. And if you're unsure, always use a telephone number you already have, an email you already have, and make the phone call.

“Assume that someone's got your personal details. And speak up. If you do get something, just ask: ‘do you think this is dodgy or not?

“Don't respond. You don't need to do anything quickly. There's nothing urgent.”

Edmonds has created Dodgy or Not?, a cyber safety game for schools that draws on real examples to teach students how to spot scams, phishing attempts and manipulation tactics.

It’s available via the NSW Department of Education Online Learning Panel.

“We've decreased unwanted contact susceptibility from a hundred per cent to 50 per cent,” Edmonds reports.

“We're basically teaching kids how to not get groomed. The game teaches critical thinking, in the context of, ‘are we being scammed?’ Or, ‘am I in contact with misinformation and disinformation?’

“So it's contextual critical thinking.”