Local high school students in the Acalanes Union High School District (AHUSD) were affected by a national cyberattack at Instructure, the parent company and developer of Canvas, a widely used cloud-based Learning Management System (LMS) for K-12 and higher education. Canvas is the online learning management system that AUHSD uses for accessing curriculum, assignment calendars, and online gradebooks.

    On Thursday, May 7, some AUHSD students and staff lost access to some curricular resources during the shutdown of Canvas by Instructure.  Canvas was back up and running by the morning of Friday, May 8, according to Superintendent John Nickerson and Associate Superintendent for Educational Services, John Walker.

    The scope of the cyberattack included certain personal information of users at affected organizations. That includes names, email addresses, student ID numbers, and messages among Canvas users. Instructure found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.

    Instructure reported unauthorized activity in Canvas on April 29, and on May 7 they identified additional unauthorized activity tied to the same incident. Instructure released a statement saying that, out of caution, they took Canvas offline and into maintenance mode to contain the activity, investigate and apply additional safeguards. Instructure notified law enforcement of the incident, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.

    Instructure later confirmed that the unauthorized actor carried out this activity by exploiting an issue related to Free-For-Teacher accounts. “This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we're committed to resolving the issues with these accounts.” However, Instructure reported that in the meantime, Canvas is fully back online and available for use.

    Nickerson told The Lamorinda Weekly that AHUSD had not been approached for ransom and had paid no ransom. He confirmed that no AUHSD data was compromised as data integrity was maintained. Although Canvas is back up and running, there might be a few challenges with other programs that are integrated with Canvas as the integration was sealed off and are being reintroduced. Nickerson added that “Our tech team performed very well to protect systems and data.” 

    Walker confirmed that “Data security is a core priority for AUHSD, and our Technology Department will continue to monitor all of our online platforms to ensure the highest level of security.” On May 8, Walker informed parents that the Technology Department has been in communication with Canvas representatives, and there is no indication that any AUHSD data was compromised in the recent cyberattacks. AUHSD’s academic programming will continue as originally scheduled.