Global student network more vulnerable after successful system hack - experts

by · RNZ
University of Auckland computer science lecturer and technology consultant Ulrich Speidel.Photo: RNZ/Luka Forman

*RNZ initially sought response to Ulrich Speidel's comments from Instructure on May 14 and was referred to an earlier statement which did not directly address those concerns. This article was republished on May 20 to include response from Instructure Vice President of Global Communications JP Scheurman who disagreed Canvas was vulnerable to future hacks.

A computer science lecturer warns that universities are much more vulnerable to having their systems hacked, after the learning portal many use had its security breached last week.

Last Friday, the Canvas system was hacked by a "malicious actor", and names, email addresses, phone numbers and messages between students and staff were put at risk.

The system, used by about 9000 institutions worldwide, was out of action for about two days, before it was brought back online.

University of Auckland computer science lecturer and technology consultant Ulrich Speidel said the system was now far more vulnerable to future hacks, because the hackers had got inside the programme.

"The moment you're on the inside and you can actually see the code that's there, it makes it much, much easier to look for security holes."

Because of that, he worried the hackers could strike again soon.

"We might be seeing those hackers come back in days or weeks to come, once they've looked through the code that they may have been able to look at."

RNZ contacted Instructure for a response to Speidel's comments on May 14, and it referred us to an earlier statement which did not directly address the concerns.

After this article was initially published, Instructure Vice President of Global Communications JP Scheurman contacted RNZ on May 20 to say the company disagreed that Canvas was vulnerable to future hacks.

"Canvas is an open-source Learning Management System, and the threat actor responsible for this incident did not have access to 'code' that would create additional risk for Canvas. We have put strong supplementary protective measures in place to increase the security of our system and closed the pathways that enabled this incident."

Speidel said his department was planning for how it would teach students without Canvas, if there was another hack.

He had raised concerns about Canvas in the past, after noticing that students could log into one account from different locations during an exam, allowing them to bring in outside helpers.

He said the response from Instructure, which runs Canvas, was to ask him to put it on to the community mailing list and, if enough people supported it, they'd fix it.

"That's not really the attitude that I'd expect from a supplier who prides themselves on providing a secure system."

Earlier this week, Instructure said it had "reached an agreement" with the hackers.

As part of the agreement, the stolen data had been returned, along with digital confirmation that the hackers had destroyed the data on their end.

Speidel said cybersecurity was not usually a priority for organisations commissioning a web app from a third party, but it should be.

"Universities are not alone in this... people need to ask, what's the vendor's security stance? What experience do they have in terms of security?"

Cybersecurity commentator Anthony Grasso agreed that organisations needed to take cybersecurity more seriously and legislation was needed to make that happen.

"Right now, there is no reason for them to really put a lot of effort into cybersecurity, in terms of the law."

The government has made a Cyber Security Action Plan, which included considering introducing penalties for data breaches under the Privacy Act.

Grasso said that could mean, in future hacks, organisations that had their data breached could be liable. In a case like the recent Canvas hacks, that could be the universities themselves.

"I would imagine the privacy commissioner in New Zealand would be fining universities, because ultimately, they're outsourcing this part of their business, so universities still really are held accountable for the data."

The Justice Ministry, which leads work on the fines, said there were various options for liability, which it would provide in its advice, and couldn't comment on liability in the Canvas example.

Grasso agreed with Speidel that the Canvas hackers would likely be waiting to strike again.

Universities and Instructure respond

A University of Auckland spokesperson said Canvas was a third-party teaching and learning portal, used by 9000 teaching institutions worldwide.

They said the hack was not a breach of the university's systems and no other systems were at risk.

Victoria University of Wellington chief operating officer Tina Wakefield said the university invested in industry-leading tools to monitor and contain cybersecurity threats.

"We will conduct a full internal inquiry into this incident to ensure we are prepared for the future."

An AUT spokesperson said it had both incident management and cybersecurity plans for hacking situations.

"The incident has highlighted our ongoing work to keep staff and students informed about risks, and we continue to roll out training, including flagging phishing risk that can result from leaked information."

They said the recent incident highlighted ongoing work to keep staff and students informed about risks including training about phishing attempts that can result from leaked information.

Instructure, the company that operated Canvas, referred RNZ to an earlier statement from its chief executive officer.

"Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom... I'm sorry for that."

"Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised.

"We'll give you clear guidance, if any action is required on your end. Right now, there's nothing you need to do."

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.