Frequently Asked Questions about the Canvas cyber incident

FAQ Cyberincident Canvas

• What happened?

  Data belonging to 44 Dutch educational institutions was stolen in a cyberattack on the educational software platform Canvas. Worldwide, the incident may affect the data of approximately 275 million users. The attack has been claimed by the hacker group ShinyHunters, which was also behind the cyberattack on Odido earlier this year.
  
  The provider of Canvas, Instructure, has confirmed that Vrije Universiteit Amsterdam was also affected. According to Instructure, the attackers’ access has been terminated and additional security measures have been implemented.

• Who has been affected?

  Canvas is a digital learning environment used by students, academic staff, and support staff. They may have been affected by the cyberattack.

• Do I need to take any action as a student or staff member at VU?

  At this time, you do not need to take any action. VU is closely monitoring the situation and remains in close contact with the provider of Canvas, Instructure.

  However, it is important to remain alert to phishing emails. If your email address is part of the data breach, the likelihood of receiving such messages may increase.

  Would you like to know how to recognise phishing emails? Please see this page for tips.

• Is VU working together with other educational institutions in this investigation?

  VU Amsterdam is in close contact with other educational institutions and with the umbrella organisation Universities of the Netherlands (UNL), and is actively monitoring the situation. Where possible, information is being shared and a coordinated approach is being taken towards the provider and other parties involved. Please also see the online statement issued by UNL.

• Can I continue using Canvas?

  Based on the information currently available, Canvas can continue to be used safely at this time.

  Instructure has implemented additional security measures. These include security updates, the replacement of access keys, and enhanced monitoring.

• Which data has been compromised?

  Based on the information currently available, the compromised data may include the names of students and staff, email addresses, student and employee identification numbers, and possibly messages sent within Canvas.

• Does this have consequences for ongoing courses, exams, or assignments?

  At this time, there are no indications that this incident has direct consequences for education, such as ongoing courses, exams, or assignments.
  
  Canvas remains available and can be used as usual. Should this change, VU will communicate this in a timely manner.

• Where can I find the latest news about this incident?

  On this page, we provide the latest information, updates, and a FAQ.

• Where can I go with questions or concerns about this incident?

  Staff and students can contact the IT Service Desk for information security-related issues. This applies, for example, if they are unexpectedly approached about this incident in relation to their Canvas account, or if there appears to be phishing or fraud involved. These teams can help assess the situation and determine any necessary follow-up steps.
  
  If you wish to discuss concerns about the situation, please see here for where you can turn to within VU Amsterdam.