Data breach at Canvas – be on guard against online fraud
Instructure, the company behind Canvas, has experienced a data breach, and user data may have been exposed. Employees are encouraged to be vigilant against online scams.
The breach may affect more than 9,000 educational institutions and 250 million users worldwide. Instructure/Canvas has implemented a number of measures and reports that the security vulnerability has now been closed. OsloMet is in contact with the vendor and is working to get an overview of how OsloMet is affected.
What information may have been shared?
Names, email addresses (but not email conversations), student numbers, Feide IDs, and messages sent between users in Canvas may have been affected by the breach. This may apply to employees, students, and former students.
Course content, submissions and credentials, including feedback from teachers on submissions, have not been leaked.
Do I need to change my password?
Passwords are not shared with Canvas, so you do not need to do anything with your (Feide) password. Your national ID number or password is not stored in Canvas. OsloMet does this to limit the consequences of data breaches.
Higher risk of phishing attacks
There is an increased risk that students and employees may be exposed to online fraud, particularly so-called phishing attacks. See Sikresiden.no for more information on what you can do to avoid phishing and hacking.
Employees are encouraged to be extra vigilant for phishing attacks. Pay particular attention if you receive emails that appear to come from Canvas or OsloMet. Do not be tricked into opening an attachment, clicking through to websites, or providing sensitive information such as account or credit card numbers. This can be misused by criminal actors.
See Sikresiden.no for more information on what you can do to avoid phishing and other online fraud.
How can you find out whether your data may have been published/shared?
As of now, OsloMet has not received a complete and verified overview from Instructure of whether any users are affected or which information may have been published. This means that, for the time being, we cannot provide a reliable and complete overview to each individual employee or student.
If you become aware that messages or information about you have been published, we encourage you to document it (for example, with screenshots) and notify us at canvas@oslomet.no.
Information for students about the data breach (student.oslomet.no)
Updated 11. May at 13:30 with information on what data has not been leaked.
Updated 8 May at 13:05 with information on how employees can find out whether their data may have been published.
(This text has been translated with the use of SIKT KI-chat. The text has been quality assured by OsloMet.)
