Blog
Canvas hack shows that your data is only as secure as your third-party providers
The recent Canvas hack not only disrupted learning around the globe, but threatened to expose the personal data of millions of individuals. With organisations required to hand over control of their data to third parties in return for access to services, how can they protect themselves from a similar incident?
On Thursday, 7th May, students across the world sat down at their desks to discover that Canvas, a digital learning platform used in thousands of schools and universities worldwide, had been rendered inaccessible. In its place was a short message, aimed at the institutions and Canvas’ creators: negotiate a ransom settlement, or have your data released on the internet. While ransomware attacks like this are nothing new, the scale here is notable; according to the hacking collective ShinyHunters, who claimed responsibility for the attack, the data stolen belonged to more than 275 million individuals across over 8,000 institutions across the globe. If true, it would constitute one of the largest breaches of student data privacy, ever.
With the data purportedly ranging from names and email addresses to the full messages of students and teachers worldwide, its public release would have highly damaging consequences for the individuals involved. As EdTech specialist Ian Linkletter told 404 Media, such messages would likely include sensitive information such as “personal circumstances, medical circumstances, accessibility accommodations, disputes, sexual assault allegations”. Beyond the innate privacy violation that comes with the release of such data, students would face being in greater danger of subsequent phishing attacks, as the highly personal information is weaponised against them.
This time, at least, it seems as though the release of this data has been averted; Instructure has released an update stating that an agreement has been reached with the group, and the Canvas platform is now fully functioning once again. This does, however, emphasise that the breach was avoided not through any cyber defence or law enforcement, but by meeting the demands of the hackers – with a rumoured $10 million being paid out by Instructure, and no way for them to know for certain that the stolen data was actually destroyed by the perpetrators.
The scale and potential fallout of this attack reflects two major concerns in the cyber security community: firstly, the inherent danger of a single centralised platform storing and processing data for millions of students. Secondly: by ceding control of your data to a third party, you also give up your ability to directly protect that data against breaches or leaks. In the case of the Canvas hack, there was effectively nothing an individual university or school could have done to prevent the breach, short of not using Canvas in the first place.
While Instructure naturally has a black mark on its security record now, prior to May there was no indication that it was any more or less secure than its competitors. In a world where the use of third-party providers is often a requirement of accessing certain functionality, it can feel like organisations must necessarily give away control – but there are still steps that can be taken to provide your users with as much protection as possible.
What can organisations do to ensure the security of their providers?
Gauge their credentials
While it’s not possible to audit the inner workings of a third-party provider yourself, you can check whether they have been assessed against industry standards such as Cyber Essentials Plus and the Cyber Assessment Framework. This will provide you with an idea of the baseline security from which they are working, while IASME provides a list of questions to build a more in-depth overview of prospective third parties.
Survey the competition
Check whether the functionality you’re looking for is available either as a locally hosted service – stopping data from leaving your sphere of control – or through established names such as Microsoft or Cisco. While these companies aren’t immune from attacks, their expertise and long history in the sector means that they will generally offer more protection than a new startup without equivalent experience in the field. In the case of the Canvas hack, the University of British Columbia has since moved to Moodle and SharePoint for the services that Canvas was providing – the former offering local hosting functionality, and the latter being a Microsoft product.
Audit your agreement
In the UK and EU, organisations are required to provide details on the data they collect and process, the reason for its processing, and the length of time it will be stored – though finding that information may sometimes be difficult. By comparing competitors offering similar services, you can ensure you’re working with a partner that collects the minimum required data, and thereby limit the fallout of a leak or hack for your organisation.
Check your permissions
Many third parties will themselves have external partners that integrate into their service through plugins and extensions, with their own privacy and data collection policies attached. By enabling such integrations, you can easily go from sharing data with one third party to a dozen or so. Review your permissions to ensure you’re only sharing data where necessary, and with partners you’re comfortable doing so.
Consolidate where possible
If a range of services are in use within your organisation that all achieve the same objective, it will inevitably increase risk and provide additional potential attack vectors. Build a clear picture of what is in use, identify duplication where it exists, and consolidate based on the principles above.
Build a report
If you’re still not certain about a provider, there is government guidance available around managing third-party product security risks, assessing products, and producing a security report.
Peter Jones
Cyber Security Specialist, CISSP, CISM, CCSP
Peter Jones is a Cyber Security Specialist at Conscia UK. He has been in the IT industry for over 30 years, providing consulting and advisory services to both Commercial and Public Sector Accounts throughout Europe. Having previously worked for both Cisco and Microsoft, Peter combines professional and academic achievements with real world experience to support our UK business. He currently holds CISSP, CISM and CCSP certifications.
Related
