KSHB 41 News anchor Taylor Hemness reports on stories across Kansas, including a focus on consumer issues. You can contact Taylor by email.
—
Parents, students and teachers in the Kansas City area got a scare on Thursday afternoon, when Canvas, a program used by multiple local school districts and colleges, was apparently hacked, blocking people from using the system.
Districts like Blue Valley and Shawnee Mission use Canvas for student assignments and grades, instructional materials, even communicating with parents and families. Its parent company, Instructure, says on its website that more than eight thousand schools and universities use it worldwide.
On Thursday, a message from the hackers, a group called "ShinyHunters" appeared on the system, threatening to release information unless a ransom was paid.
Friday morning, Instructure said that Canvas was fully operational again.
KSHB 41 also received the following statement from Shawnee Mission School District:
"We are watching this situation closely because safety and security for our students and staff is a high priority. Currently, we have no evidence that any information was breached. Out of an abundance of caution, we sent reminders to our staff and families that are always best cybersecurity practices. We will continue to monitor and stay in close contact with the vendor."
I reached out to a local cybersecurity expert to talk about this, and ask what parents should do if they and their children used Canvas.
"If that's a password you've used in other environments, you can have to kind of assume they have access to that now," Sam Sapp of Lockbaud said. "You kind of have to assume the worst, and if that was a password you used elsewhere, you'll want to have that reset."
What's more frightening is that Sapp also told me that you might notice new spam or fishing emails or text messages that include details about you and your children, because their information was stored in Canvas.
"When their campaigns are used in the extreme, we've seen wild scenarios where they pretend like your child or someone you love is being held ransom," Sapp said. "You're like, 'How would they have that if they didn't have XYZ?' And their goal is to get you to pay them in some sort of way or method. Then you find out later that you were duped all along, and they were just using old information that they gathered from, say, this sort of incident."
Sapp said that ShinyHunters has been active for about seven years, and has attacked other companies like AT&T and Rockstar Games.
—
