Listen to the article
This audio is auto-generated. Please let us know if you have feedback.
Dive Brief:
- A recent cybersecurity attack at Instructure ed tech company exposed certain student information, the ed tech company confirmed in a status update on its website Friday, but added in a Saturday update that it believes the incident has been contained.
- Information impacted by the data breach includes messages between users, names, email addresses and student ID numbers, according to Instructure. The company said no passwords, dates of birth, government identifiers, or financial information were believed to have been compromised as of Saturday.
- While Instructure said it is actively investigating the incident alongside forensics experts, the company has not disclosed how many school districts were affected.
Dive Insight:
Instructure, on its homepage, touts itself the “most-visited education website in the world.” The company operates several ed tech products for K-12 schools, including the widely used Canvas learning management system.
Canvas has over 6 million “concurrent users,” according to Instructure’s website. Instructure did not explicitly say the breach had affected Canvas, but did report it was investigating disruptions to some Canvas tools and putting the learning management system under maintenance around the same time it announced the data breach.
Upon request for comment and further details regarding the cybersecurity incident, Instructure told K-12 Dive in a Tuesday email to check the company’s status page, where it said updates on the breach would be provided as they become available.
In response to the incident, Instructure said on its status page, the company has revoked privileged credentials and access tokens related to the affected systems, deployed patches to increase system security, and heightened monitoring across all of its platforms.
The incident at Instructure marks the latest known data breach for a large ed tech vendor with sweeping implications for districts’ sensitive student and staff data.
Other recent high-profile cyberattacks targeted PowerSchool, a cloud-based K-12 software provider, and Illuminate Education, a student information system provider.
A Monday newsletter post by K12 Security Information eXchange, a K-12 cybersecurity nonprofit, said “small and medium businesses — including the majority of U.S. K-12 education software businesses — are frequent cybersecurity targets.” Some 59% of small and medium-sized enterprises experienced a cyberattack in the past year, according to research K12 SIX cited from Hiscox, an insurance company.
Ed tech companies are increasingly facing heightened accountability over cybersecurity from federal regulators and in the courts. In recent months, for example, the Federal Trade Commission reached a settlement with Illuminate over its 2021 data breach, while PowerSchool announced a $17.25 million settlement in the handling of student data on the Naviance platform.
Although these cases are “likely to shape market behavior,” K12 SIX said, they “won’t do enough in and of themselves to stem the tide.”
