RUBY DOWLING: On Thursday, students at Northwestern — and at nearly 9,000 other academic institutions — were victims of an international hacking scheme carried out by ShinyHunters, a cybercrime extortion group. The attack, which targeted Instructure, Canvas’ parent company, left students unable to access their grades, homework assignments and course pages for over 24 hours.
I sat down with three Daily reporters to paint a full picture of how the Canvas outage impacted the University’s digital landscape.
[music]
RUBY DOWLING: From The Daily Northwestern, I’m Ruby Dowling. This is What’s New at NU, a podcast about everything from mainstage NU issues and events to those hidden in the nooks and crannies of campus.
This episode is an extension of The Weekly, a breakdown of the top headlines from the past week. Now, let’s go to how Staff Editor Clara B. Freeth found out about the Instructure breach.[music]
CLARA B. FREETH: I was in Deering (Library), and I was trying to write a paper for my conspiracy theories class. And then all of a sudden, I had this like cryptic ShinyHunters message. And, I refreshed my Canvas, and then my Canvas had it too. And so I took a picture, and I texted my friends, and they all had it too. And I was like “Oh my God, we just got hacked.”
So, I immediately picked up my phone, I left the Deering quiet area, and I called (Editor-in-Chief) Anavi (Prakash), and I said “Anavi, we need to write a story right now.”
RUBY DOWLING: On The Weekly, Clara went over the timeline of events from Thursday, when Canvas first went down, to Saturday morning, when Northwestern Information Technology announced that the website was back online. You can find that episode on The Daily’s website and all podcast streaming platforms.
Clara’s first call was to Editor-in-Chief Anavi Prakash. I sat down virtually with Anavi later on Sunday to ask her about how The Daily handles developing stories like these.
[music]
RUBY DOWLING: Anavi, as editor-in-chief, can you talk to us a little bit about how The Daily responds to emerging and evolving crises on campus?
ANAVI PRAKASH: I got about five Slack messages from different people, being like “Hey, I don’t know who I should tell, but Canvas is down.” So really, it is through that word of mouth, because that is what breaking news is, it’s not something you really expect to happen, but then it does.
And then, it’s a matter of, OK, I know about it, we looped in Desiree (Luo), our campus editor, and it was really more about how do we get this information out as soon as possible. And, Clara was ready to jump on it and I was like “OK, I’m not doing anything right now, so I can help, too.”
And it really just goes like that. You try to get all the core information on what’s available then to get an initial story up. And then, reach out — we reached out to the University for comment — and focusing on filling in those details. Clara went out and talked to a few students about what Canvas being down meant for them, and things like that.
So, it really is a team effort in a lot of ways. And we were able to cover it, so, yeah.
[music]
RUBY DOWLING: From Thursday through Saturday, Anavi monitored the University’s response to the hack, as well as any important developments on the NUIT end.
[music]
RUBY DOWLING: A “scheduled maintenance” notice replaced ShinyHunters’ ransom note within hours of the attack, but Canvas didn’t fully return to regular operations for over 24 hours. Around 9 p.m. on Thursday, the site appeared to be back online for a short period of time before shuttering again. On Friday, May 8, NU announced it would be extending the class drop deadline in response to the outage. Students were able to regain access to their assignments and grades Saturday morning.There have been no developments since then.
On Sunday night, I sat down with Assistant Multimedia Features Editor Ryan Ottignon — who has been covering hacking for three years as a freelance journalist — to learn more about who the ShinyHunters group is, why this attack matters and what may come next.
[music]
RUBY DOWLING: Ryan, thanks for being here today.
RYAN OTTIGNON: Thank you so much for having me.
RUBY DOWLING: Let’s start with the basics: What is, or who are, ShinyHunters?
RYAN OTTIGNON: So, ShinyHunters is a group that, as far as anyone can tell, is this loosely associated group of people surrounding an individual, Shiny, that have done largely extortion-based data breaches, which means they use whatever means necessary to get access to data, and then they extort a company to pay them money or they release it. It’s a “pay or leak” scheme.
RUBY DOWLING: Canvas went down on Thursday, but can you tell me about the history of higher ed(ucation) attacks performed by ShinyHunters?
RYAN OTTIGNON: Yeah, they have targeted universities in the past — Harvard (University), Princeton (University), (University of Pennsylvania). They’ve also been targeting these non-university-level things. They’ve targeted, in the past, another more K-12 focused, Canvas-like tool called Infinite Campus.
They’ve also targeted things like Udemy, which provides certifications, they’ve targeted McGraw Hill and Houghton Mifflin Harcourt, both of which are textbook manufacturers, and so on, and work with school districts and work with universities. Ultimately, they have kind of taken, especially in the past year, this particular focus on higher ed(ucation).
In this case of the Canvas breach, it’s not really so certain that they’ve gotten anything too sensitive about students. What’s available to Canvas is not really passwords. Usually, students log into it through a single sign-on option, which means they’re signing on through their university. So a student doesn’t have a password associated with a Canvas account, and so on, with Infinite Campus.
Instead, they would have access to names, maybe school emails, maybe profile pictures, and things attached to a profile, which isn’t anything that falls under “personally identifiable information” — that’s a definition that the U.S. government and other authorities use.
So instead, this is a huge target for ShinyHunters, and it generally for all their higher ed(ucation) targets. Because they are targeting groups that deal with minors, and they’re dealing with K-12 districts and universities where people are generally young. So it makes people care because it’s their kids being affected, and it makes the news like it did this way. This is probably one of their largest breaches to date. So, yeah, it’s a great target for them.
RUBY DOWLING: NU’s Canvas site is back online. It’s functional for students. The pay or leak deadline that ShinyHunter set has not yet elapsed, I believe. In these kinds of scenarios, the sort of “pay or leak,” how often are victims paying up?
RYAN OTTIGNON: Ultimately, it’s not sure whether they’ve paid by this May 12 deadline which ShinyHunters initially sent. But we do know that Canvas is back up.
And paying a ransom of this size, usually ShinyHunters is actually rather cheap, in terms of the ransoms that they set for this extortion data. It’s about $1 per record, 95 cents really is what people have put it at.
Companies generally don’t pay per guidelines that have been set by teams that deal with hacked data and the negotiators in general. They don’t pay for a couple reasons: one, because paying that much money does not guarantee that the data won’t be released.
RUBY DOWLING: Not to make you do some terrible mental math here, but at that rate of 95 cents, or we can round it to $1 for simplicity, if Instructure was to have paid the ransom, how much money would they have paid ShinyHunters?
RYAN OTTIGNON: Well, I just threw it into a calculator. If they’re going at their normal rate, let’s say it’s 95 cents a record, they would be asking for something on the scale of hundreds of millions, 260, 270 million. They’re claiming about 275 million records from almost 9,000 schools. That includes K-12, so that includes in Evanston. They listed two different instances of things that appear to be Evanston/Skokie School District 65.
So this ransom would be on the scale of hundreds of millions. Of course, because it’s so large, it wouldn’t be abnormal for ShinyHunters to ask for a lower thing and then work up. It also wouldn’t be abnormal for them to give a lower worth to these records because they don’t include passwords, they don’t include exceptionally sensitive things as far as we’re aware. Including Social Security numbers or anything like that, that would be a very high price that they’d be asking.
But yeah, TL;DR: hundreds of millions.
[music]
RUBY DOWLING: Great, Ryan, I appreciate you coming on tonight.
RYAN OTTIGNON: Thank you so much, Ruby.
RUBY DOWLING: From The Daily Northwestern, I’m Ruby Dowling. Thanks for listening to another episode of What’s New at NU. This episode was reported and produced by me, Ruby Dowling. Liam Barrett, Clara B. Freeth, Ryan Ottignon and Anavi Prakash also contributed reporting.
The audio editor is Wallis Rogin. The multimedia managing editors are Ruby Dowling, Isabella Jacob and Matt Wasilewski. The editor-in-chief is Anavi Prakash.
Follow us on X and Instagram @thedailynu.
Email: [email protected]
X: @rubywright0
Related Stories:
— The Weekly: Illinois detention centers, Canvas breach and AI policies
— Northwestern Canvas site back up following alleged website breach
— Northwestern extends class drop deadline after Canvas breach
