In the age of diploma mills and commodified learning, edtech is more important than ever to an industry that is growing by 4-6% per year on average. Learning Management Systems (LMS) are the interface used by students and teachers alike to facilitate classes, accept submissions, and communicate. These platforms require a level of scrutiny especially if used by top-tier “R1” research institutions because for them, security may be a matter of national security. In a recent exploit of Instructure’s ubiquitous Canvas platform, a group was able to breach the Free for Teachers (FFT) feature which is a free tier of the service that allowed teachers and professors to access features if the school or district weren’t ready to pay for a subscription.

   Over half of all major research institutions as well as all 8 Ivy League universities in North America use Canvas including MIT, Harvard, and Cornell. Over half of all top 20 US medical schools and 9 of the top 10 global business schools utilize the platform as well. Canvas’ authentication layers include SSO/SAML/OAuth, Institution-based identity federation by way of cloud services or locally served ones. For instance, Microsoft’s Azure or Active Directory, the latter of which employ authorization protocols like NTLM and Kerberos. The free-for-teacher or FFT flow bypasses a number of these integral security features, which may or may not have simply been for ease of use for prospective users. ShinyHunters, the black hat organization responsible, posted its ransom note on the platform itself. It explained that Instructure and cybersecurity partner, Crowdstrike, had initially attempted to implement security patches rather than to negotiate. This failed attempt at securing the platform ultimately led to the distribution of an undisclosed ransom to the group.

   This ordeal harkens back to another cybersecurity breach in fall of 2023 which took administrative control of the ICBC (Industrial and Commercial Bank of China). This specific vulnerability was deemed to have been caused by an exploit in their forward-facing network load balancer. Services like NetScaler ADC (now Citrix ADC) sit in front of multiple availability zones which employ elastic IPs and ultimately connect with SWIFT Alliance Gateway (SAG) or Alliance Web Platform (AWP). This attack was colloquially called the “Citrix Bleed” or specifically CVE-2023-4966. SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a Belgium-based global backbone for financial telecommunication that took the place of Telex’s public network as the United States pivoted from gold standard to floating exchange rates. This privatization of infrastructure was urged by necessity as incidents of cross-border transactions increased drastically during the Nixon years.

   According to Instructure’s webinar FAQs on the matter, they have “deployed CrowdStrike’s Falcon Platform to enhance detection and response capabilities and are working with expert vendors to maintain platform security for our millions of users.” While, Instructure confirmed there is no evidence that passwords, dates of birth, government identifiers, or financial information were compromised, 275 Mn to 280 Mn individual records and 3.65 terabytes (TB) were leaked.