Instructure / Canvas Data Breach - What To Do
I’ve had a number of people ask me over the day what they should be doing. The answer is it depends. I’ll respond to two different context. What should you do if you or your child was impacted? and What should you do if you are a school or school system. A good reference is Kreb’s blog for what happened: Canvas Breach Disrupts Schools & Colleges Nationwide – Krebs on Security
What to do if you or your child is impacted
Since information regarding this breach is currently sporadic, I recommend assuming that personally identifiable information (PII) has been compromised. This likely includes Social Security numbers or enough data to attempt identity theft. I wrote a blog post several years ago about managing this personally that remains relevant today: Identity Theft - It Happened To Me — alaniz.io.
Get an IRS Identity Protection PIN: If you or your child files taxes, obtain a PIN from the IRS immediately. This ensures a PIN is required to file a return in your name.
Freeze your credit: This is different from credit monitoring or fraud alerts. You must do this for each person and with each of the three major reporting agencies: TransUnion, Equifax, and Experian.
Note for Minors: For children under 18, you will typically need to submit these requests via mail.
How it Works: A freeze prevents any new credit files from being opened without you manually lifting it. While it adds a step if you need a loan in the future, the security it provides is worth the effort.
Prepare Emotionally: Current reports suggest the breach may include private messages and grades. It is wise to prepare for the potential exposure of sensitive personal communications.
What to do if you’re a school or a school system
If you represent a school system, you are in a difficult, though not unprecedented, position. You have experienced a third-party data breach, meaning you have effectively delegated your FERPA and state privacy obligations to a vendor who has now been compromised.
Contact Legal and Insurance: First, contact your attorney, then your cyber liability insurance provider. This ensures you engage the right experts in a protected manner. Depending on the data leaked, lawsuits are a possibility; you must understand attorney-client privilege and discoverability. Remember: what you say in texts, emails, and public posts can be used in litigation.
Engage a Security Firm: Often, your attorney or insurer will recommend or provide a specific vendor. While your direct infrastructure was likely not impacted, reducing remediation efforts. You still need to understand the scope of the impact and navigate the complex technical and legal vocabulary of a breach.
Cipher North has developed a comprehensive series on building incident response programs. You will face questions from leadership regarding preparedness and from parents regarding trust. How you respond internally and externally is critical; trust is easily destroyed during a crisis.
Read more on managing the executive response during an incident: Incident Response Preparedness: Executive Management in a Crisis — CipherNorth.