This is a large-scale hack by the hacker collective Shinyhunters where student and faculty data was leaked. Instructure has stated that it has received confirmation that the unlawfully obtained data has been deleted and will not be published. Although this has reduced the risk of further distribution, VU Amsterdam continues to monitor the situation carefully and is taking additional security measures.
View frequently asked questions about the Canvas cyber incident here. As soon as new information is available, we will update this post and the FAQ.
Update 20 May – Local Canvas accounts reactivated
Some users of VU Canvas used so-called local Canvas accounts. Due to the additional security measures taken following the security incident, these accounts were temporarily unavailable. The local Canvas accounts that have been active within the past three months have now been reactivated. Additional security measures have been implemented for these accounts, including extra verification during login. In the meantime, VU Amsterdam is working on a sustainable solution for the management and security of these accounts.
Do you not have access to Canvas while you believe you should? Or do you have a question? Please contact your faculty’s Educational Office or the person responsible for your (LLO) programme or external education programme. They can assess whether your account needs to be reactivated and submit a request for this.
Update 19 May – Connected applications within Canvas available again
All connected applications within Canvas (so called LTIs) are now available again. This means that most Canvas functionalities are once again operational for VU students and staff. If you continue to experience technical problems, please contact the IT Service Desk or your local IT support/faculty support team.
You can also read the update from umbrella organisation UNL here.
Update 12 May, 17:00 – Restart of Canvas
Canvas is now available again for staff and students with a VUnet-ID. The educational software is currently being restarted in phases. Other Canvas users who do not yet have access should temporarily make use of the Canvas workarounds.
VU Amsterdam has implemented additional security measures and has checked and made Canvas available again to students and staff in a phased manner. In doing so, careful consideration has been given to both security and remaining risks, as well as the impact that the unavailability of Canvas has had on students, staff, and education.
VU Amsterdam asks students and staff to remain vigilant regarding phishing emails and suspicious messages.
Because the system needs some time to safely reload all data and functionalities, not all existing information in Canvas may be immediately visible, and the system may respond more slowly than usual. In the meantime, alternative solutions, including support and workarounds for Canvas, remain available.
For students and staff of VU Amsterdam, more information will follow on Wednesday 13 May.
You can also read the update from the umbrella organisation UNL here.
Update 12 May – 09:00
On Tuesday 12 May, Instructure indicated that the data copied from Canvas by the hacker collective ShinyHunters has been deleted. Vrije Universiteit Amsterdam is currently analysing the situation in order to carefully assess a stable and secure relaunch of Canvas. In addition, preparations are being made for a phased restart of Canvas. More information will follow later today.
Update 11 May – 20:00
Canvas will remain unavailable to students and staff of Vrije Universiteit Amsterdam until Monday 18 May. At present, VU Amsterdam does not yet have sufficient insight into whether the measures taken by Instructure provide full assurance for a safe restart of Canvas. Students and lecturers have therefore been informed about available alternatives to the educational software, in order to allow teaching activities to continue as far as possible.
In taking this decision, VU Amsterdam is consciously prioritising thoroughness over speed, so that we can obtain a complete and reliable understanding of the situation. We recognise that this decision places considerable demands on lecturers and has a significant impact on students. Nevertheless, we consider this step necessary in order to safeguard the stability and security of education. Vrije Universiteit Amsterdam will continue to monitor the situation closely in order to make a well-considered decision regarding whether, and if so how, Canvas can be restarted in phases. The timing of any restart of Canvas may differ from that of other universities, as the technical situation may vary between institutions.
Students with questions regarding educational activities are advised to contact their lecturer. Lecturers who require support in organising educational activities may contact their faculty’s ICTO support team.
Please also read the latest update from Universiteiten van Nederland (UNL).
Update 12 May – 09:00 Stolen data deleted
On Tuesday 12 May, Instructure indicated that the data stolen from Canvas by the hacker collective ShinyHunters has been deleted. Vrije Universiteit Amsterdam is currently analysing the situation in order to carefully assess a stable and secure relaunch of Canvas. More information will follow later today.
Update 11 May, 12:00 - Practical support for lecturers
Work is underway to implement a safe solution and to ensure that education at VU can continue as smoothly as possible. To support this, an external page has been created, which contains a document with workarounds for Canvas functionalities. The page will be continuously updated based on new developments and available solutions.
Update 8 May, 18:00 - Canvas unavailable
VU Amsterdam has decided to temporarily suspend the use of the Canvas learning management system. Before Canvas can be resumed as normal, we require additional insight and greater clarity from Instructure regarding the security of its systems and the measures that have been taken. In parallel with working towards a solution, we are currently working hard on alternatives to Canvas. In this way, we aim to minimise the impact on education as much as possible. Students and staff were informed of this by email on Friday, 8 May.
Teaching and examinations in the upcoming period
Teaching and examinations will continue as scheduled. We understand that this requires flexibility from both lecturers and students. We therefore ask for your understanding of the situation. Please be assured that work is being done behind the scenes on appropriate solutions and on restoring the situation as quickly as possible.
Here you can read the latest update from the umbrella organisation Universities of the Netherlands (UNL).
Update 8 May, 08:45 - Education on campus and online classes can continue
Due to the disconnection of Canvas as a safety measure, Canvas is unavailable to students and staff today. Classes scheduled for Friday 8 May on campus can go ahead. Scheduled online classes can also go ahead in principle. Please use the login link provided in Outlook Calendar; the login links in Canvas are not available. An update on the follow-up measures being taken will be posted later this day.
It is possible that not all teaching activities will proceed as usual. We understand that this situation places significant demands on both students and lecturers. Behind the scenes, we are working hard to find a suitable solution and to resolve the situation as quickly as possible. We thank everyone for their patience, flexibility and understanding.
Update May 7, 23:50 - VU disconnected all systems connected to Canvas
Hacker group ShinyHunters has posted a message in the Canvas environment that they have regained or continue to gain access. They are threatening to make the stolen data public. As a precaution, VU has disconnected all systems connected to Canvas. If you go to the Canvas website you will be redirected to this update page. This will potentially affect teaching and attendance on May 8. VU has filed a preliminary notification with the Personal Data Authority.
Update May 6
Instructure has reported that there has been unauthorized access to part of their systems. Intruders have captured student and staff data. This may include student and employee names, email addresses, student IDs and messages between users. According to Instructure, no passwords have been leaked.
Measures
Instructure has taken additional security measures. As a precautionary measure, VU has disconnected all systems connected to Canvas. VU is also monitoring whether any student or employee data is offered on the Internet. The VU has provisionally reported to the Personal Data Authority and is in close contact with other educational institutions, SURF and the umbrella organization Universities of the Netherlands about the situation.
What does this mean for you?
At this moment Canvas is not accessible. The leaked data can be used for phishing emails. We therefore ask you to be extra alert for suspicious messages. For example, emails that arrive unexpectedly or ask to share personal information. Read more about how to recognize phishing emails here.
Help & Support
Have you received an unexpected or suspicious message? Or if you are unsure about an email, please contact the IT service desk. To discuss concerns about the situation check here where to go for this at VU.
Read the coverage of the incident from umbrella organization Universities of the Netherlands (UNL) here.