Many schools, colleges and universities rely on Canvas for course guides, assigned readings, lecture slides, assignment instructions, study materials and communications between faculty and students. The latter is particularly significant in light of the Canvas attack, since those communications often include sensitive, personal information. Hacker group ShinyHunters took credit for the attack and sent ransomware messages not only to the customer institutions but also to individual students. Very scary.
Although education is where deployments of Canvas predominate, associations such as IFLA (International Federation of Library Associations & Institutions) and companies such as German grocery store Rewe are Canvas customers. IFLA sent a notice to members that Canvas was unavailable, stressing that no user data was compromised. For colleges and universities in the U.S, the timing could not have been worse, hitting as it did just as final exams were about to commence. Some schools delayed exams, while others cancelled them altogether.
Libraries were also hit hard by the outage. When Canvas went down, do did its Library Tools feature, which libraries use for displaying LibGuides and subject-focused database lists, along with basic information such as location hours, AskALibrarian FAQs, librarian-designed modules, and chat widgets. Librarians could also have been added to courses by the instructors.
Ransomware attacks
Ransomware attacks are not new and they have caused significant damage and expense to libraries including the British Library in October 2023, Toronto Public Library also in October 2023 and Seattle Public Library in May 2024. Rebuilding or replacing legacy systems and recovering data is a massive—and expensive— undertaking.
Lessons learned from ransomware attacks on libraries include backing up data, securing or replacing legacy systems, and preparing for a manual approach to common library tasks, such as circulation. That assumes the attack was directly aimed at a single library system. The Canvas outage was vastly more widespread, targeting Canvas customers, which included thousands of educational institutions and their libraries. Communicating with students and library users with consistent, organized, "single source of truth" messaging reassures them that the institution knows what it’s doing and is prepared. Even then, it will not completely alleviate fears of identity theft and financial losses.
Contingency plans
Contingency plans should start with the premise that no library is completely immune from attack. In the case of the Canvas attack, the library can take on the role of help desk, as students may not know where else to turn for accurate information and will need advice, explanations, and a personalized roadmap of what to do next. This was not simply downtime; this was a major security breach. Warn students about the possibility of phishing emails. Look at existing collections that can provide alternatives to data provided on the Canvas platform.
In your contingency plan toolkit could be a list of those alternative data sources, particularly any that are open access, that students will need to complete and get a good grade in their courses. A template that faculty can fill out with information that students will need will mitigate against the multiple versions that faculty would otherwise send to the library. Have another template explaining how phishing works and what to look out for. Review your contingency plans with staff on a regular bases and update as circumstances change.
Today is International Anti-Ransomware Day, observed annually on 12 May to raise awareness about ransomware threats and promote prevention.