Eugene School District 4J

Canvas by Instructure, the online learning platform used by 4J and thousands of other educational institutions worldwide, has reportedly taken steps to secure recently breached data.

The Instructure CEO on May 11 announced that the company had "reached an agreement" with a computer hacking collective that illicitly obtained millions of student and staff names, school email addresses and the text of communication between students and staff. CEO Steve Daly wrote that the company received assurances that data had not been copied or shared, that it would not be used to extort individual students or staff, and proof that it had been destroyed. Canvas/Instructure has also said that it was taking steps to prevent any similar breach in the future.

The district shared information with families and staff on May 7 after hearing from the company about a data breach, and clarifying to the extent possible what the exposure and reasonable risks were for students and staff. Canvas is up and running for district users; however, the 4J Technology Department put security measures in place in response to the reported breach that the vendor must update before Canvas can sync data with our Student Information System. Staff and families can continue to email 4J Technology Director Dan Farley if they have questions about the Canvas data breach.

May 7: Canvas data breach has possible student, staff impacts

Eugene School District 4J was notified by the vendor that supports our primary online learning management system for district students and staff, Canvas/Instructure, that they have been impacted by a nationwide data breach that impacts our district. 

Hackers have claimed that compromised information includes student names, student ID numbers, district email addresses (those ending in @4j.lane.edu), and the text of messages sent between students and teachers in Canvas.

Canvas/Instructure has not confirmed yet whether that information was actually compromised. We do not have reason to believe that any other sensitive information was released, such as birth dates, passwords, social security numbers, financial information or home addresses. The school district’s student and employee information systems are totally separate from Canvas and Canvas does not require or include more sensitive data.

The vendor shut down access to the platform after it realized the nature of the hack, and it has begun to address the security problem. The only disruption to normal 4J use of Canvas was the delayed release of a student progress report. Since Canvas/Instructure will continue to perform system maintenance in the days ahead, some further disruption of normal Canvas function is possible, and that progress report will be published as soon as possible. 

School District Technology staff believe that there is not a high risk for negative effects for students and staff from this event. The district has several protections in place for students and staff, including phishing filters that should protect student and staff 4J email accounts from phishing attempts. However, students and staff should continue to be mindful of phishing attempts (see this resource on phishing from Google). Please be especially wary of emails  that claim to be from the school, district, or Canvas that ask for confirmation of logins, include unexpected attachments, or ask for fee payment using atypical methods. 

The district is closely monitoring the situation and continuing to assess any impacts on district students and staff. We are in consistent communication with Canvas/Instructure, and will inform parents, staff and community partners if new information emerges. We also want to be clear that this is a vendor-driven, nationwide breach that is impacting over 8,800 educational institutions across the country, primarily within higher education. Our district servers and networks that host student data have security procedures in place, such as secure sign-ons, that remain secure and are not subject to this breach.

Canvas/Instructure is also posting updates on this security incident to their status website, which is available to the public for those who are interested in monitoring the situation.

Please contact Dan Farley, Director of Technology, if you have any questions or concerns regarding this external data breach.