North Texas schools are assessing the damage left from a data breach affecting the education platform Canvas.

Read more What is hantavirus? How it spreads, Texas history and what to know

A group known as ShinyHunters launched a cyberattack against the platform’s parent company, Instructure, threatening to release data stolen from colleges and school districts that use the platform if the company didn’t agree to pay a ransom.

The attack interrupted service nationwide. Although access was restored Friday, school districts and colleges are still dealing with fallout from the breach.

Related: What is Canvas, the online platform used by schools nationwide hit by a cyberattack?

Teachers and professors use Canvas to manage grades, make and collect assignments and post lecture videos, among other uses. On Thursday, Daniel Ramirez, chief information security officer for the Texas Education Agency, released guidance to school districts advising them on steps they should take, including reviewing account security and monitoring for suspicious activity. The agency is working directly with Instructure through the Fort Worth-based Education Service Center 11, Ramirez said.

A number of North Texas districts sent notices to parents about the attack. In a letter sent Friday morning, Garland ISD officials assured parents that the district doesn’t store any sensitive information such as Social Security numbers, home addresses or passwords in Canvas. The district manages grades through Skyward, a separate platform, officials said, and students wouldn’t be penalized for not turning in any assignments that were affected by the breach.

Similarly, officials in Frisco ISD notified parents that hackers obtained some data associated with the district’s Canvas account, but the district doesn’t share sensitive data like Social Security numbers or financial information with the company.

Dallas ISD doesn’t use Canvas. District officials said they’re working with the district’s higher education partners that may use the platform to determine whether any of the district’s students were affected.

The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft, told the Associated Press.

Related: Cyberattack and outage of Canvas online learning platform disrupts North Texas schools

Screenshots Connolly provided to the Associated Press showed that the group had been threatening to leak the trove of data. By Friday, Instructure and Canvas had been removed from a dedicated leak site created by the ransomware group on the dark web to publish stolen data, he said.

Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group also has been tied to other attacks, including Live Nation’s Ticketmaster subsidiary.

Canvas breach disrupts finals for Texas colleges

The breach hit universities across the country, like Harvard University, University of Pennsylvania, and the University of Michigan, according to their student newspapers. Several North Texas schools lost access to Canvas, including Southern Methodist University, the University of North Texas System, Baylor University, and Tarrant County College. 

The cyberattack came just as students were preparing for final exams. At SMU, final exams scheduled for Friday were postponed until Sunday, officials said in a Thursday email. The same day, Baylor University also announced plans to delay final exams scheduled for Friday. 

The University of Texas at Arlington said its Information Security office is assessing the impact on students. 

According to its website, Tarrant County College is monitoring the situation, noting that the “breach remains isolated.” There is no evidence that passwords, financial information or social security numbers were compromised, the school said. 

At a La Madeleine restaurant near SMU, freshmen Chase Feltheimer and Ashton Perisa hunched over their notebooks and laptops, brewing over moral and societal dilemmas. They were doing some last-minute studying before their philosophy final Friday.

“It was a bad time for [the breach] to happen,” Feltheimer said.

While Feltheimer had the option to take the final on Sunday, he figured it would be better to get it out of the way. After all, he would rather spend time with his mom on Mother’s Day.

But they anticipate that other students will take advantage of the extra days to hit the books. When Feltheimer and Perisa go to take the test at around midday, they anticipate their class will look sparser than usual.

Read more Where is the cheapest gas in North Texas?

“It is fun to have a delayed final and get to be able to study a little longer,” Perisa said. “But at the end of the day, if you’re able to get it done, you should not have to worry about extra stress.”

Rahul Unnam, a UNT master’s student, checks Canvas daily, so he noticed when the site was down. With deadlines approaching, he was initially confused about how to submit his schoolwork.

Luckily, professors were quick to maneuver, having students hand-write assignments or turn them in through email, he said. Besides having contact information stored on Canvas, Unman wasn’t concerned by the breach — just inconvenienced.

“It’s mostly educational stuff,” he said. “Even if they take my PowerPoint presentation, what are they going to do with it?”

Besides, his days perusing Canvas will soon come to an end, one way or another. He is set to walk across the graduation stage Monday.

Fort Worth ISD and Canvas attack

Ale Checka, a teacher at Southwest High School in Fort Worth ISD, said leaders at her school sent an email Thursday advising teachers to shut down their computers and make sure their students had done the same. The school librarian, who also handles tech issues, then went to every teacher and asked them to make sure their phones were off the school’s Wi-Fi network, she said.

On Friday morning, the school’s principal announced that teachers and students could get back online but should still avoid logging into Canvas. That was a major disruption for teachers, Checka said. Students couldn’t access or submit assignments through the platform. Many teachers had entire lesson modules stored in Canvas and haven’t had paper copies for years, she said.

Checka said she was less affected than some of her colleagues because she avoids using the platform as much as possible.

“It’s just a pain in the butt, and that’s on the best day,” she said.

The Canvas breach isn’t the first time Fort Worth ISD has dealt with cybersecurity issues. In March 2020, just days before the pandemic shut down campuses, a malware attack shut down the district’s website and computer network. That attack was more disruptive, Checka said, because it not only prevented them from communicating with students, but also prevented them from using the network to communicate with each other.

“On the scale of disruptive ransomware attacks, this one is less bad,” she said.

Other North Texas school districts have been targeted by cyber criminals. In separate incidents in 2021, hackers accessed the networks of Dallas ISD and Allen ISD and stole personal information of district staff and students.

Cybersecurity expert: Communication is key

Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, said it’s important for districts to keep updating parents and teachers about what they know and don’t know in the aftermath of the breach. For most students, the primary concern is most likely assignments and due dates, he said, so districts need to have a plan for how they’ll work with students whose assignments were disrupted. 

For parents and students, it’s important to be wary of any correspondence that looks like it’s coming from their schools, their teachers or Canvas, Steinhauer said. The breach has gotten enough attention that it gives other bad actors an opening to try to trick people into giving up their contact information or passwords, he said. If parents see a suspicious-looking email purporting to be from their kids’ school, they should call the school to confirm, he said. 

Cyberattacks against schools have become increasingly common over the past few years, with criminals exploiting often-outdated security systems and under-resourced cybersecurity teams. But the Canvas breach was different in that it targeted a trusted vendor, rather than school districts themselves. 

It’s unreasonable to expect school districts not to use platforms like Canvas, Steinhauer said. But it’s important for districts to ask tough questions about issues like security when their contracts with those companies come up for renewal, he said. There are only a handful of companies providing the same services that Canvas offers, he said, but there’s enough competition that districts can shop around if the company they work with doesn’t seem like a safe option.

North Texas school districts, colleges affected by Canvas outage

Here are some of the schools in the Dallas-Fort Worth area affected by the Canvas cyberattack.

• Allen ISD
• Frisco ISD
• Fort Worth ISD
• Garland ISD
• Southern Methodist University
• Tarrant County College
• University of North Texas System
• University of Texas at Arlington

The Associated Press contributed to this report.

The DMN Education Lab deepens the coverage and conversation about urgent education issues critical to the future of North Texas.

The DMN Education Lab is a community-funded journalism initiative, with support from Bobby and Lottye Lyle, Communities Foundation of Texas, The Dallas Foundation, Dallas Regional Chamber, Deedie Rose, Garrett and Cecilia Boone, Judy and Jim Gibbs, The Meadows Foundation, The Murrell Foundation, Ron and Phyllis Steinhart, Solutions Journalism Network, Southern Methodist University, Sydney Smith Hicks, and the University of Texas at Dallas. The Dallas Morning News retains full editorial control of the Education Lab’s journalism.

Read more UTA to cut, merge some academic programs to ‘maintain fiscal responsibility’