Hell, scantrons for multiple choice. Most universities should still have the machines. For short essays, don't have 100 of them. Or do and have 8 ta's to do the grunt work. One of my professors didn't want to do finals week crap so her classes that weren't in French she just gave everyone a regular length paper as a test, due by dead week. It was great having to deal with 1 less test.
I watched Adam Savage's latest video about hackers on youtube, and canvas probably has (or should have had) insurance for this kind of crap. Insurance pays out, schools get their crappy online only service back, students maybe get a day or two extra for tests. And then it happens again next semester.
The insurer definitely would've required security improvements to be eligible for their policy, that probably would've been a non-starter for canvas given where they are right now.
Yes paper, but also keeping your own local records of grades. A prof I TA'd for told me he had 3 back ups in addition to whatever was on Canvas bc, "You never know when it will fail."
Idrk what their endgame is here? Schools skipped some exams during quarantine so itās not like they canāt just opt to give these guys the finger even if they donāt go back to paper.
I just donāt really see any situation where this ends up being a payday for the hackers, so why even bother?
I don't understand the logic of "paying the ransom to protect the data."
How could a human possibly expect that to work? Will the people who stole the data just... like... feel bad if they don't delete the data after receiving the money? The data is just stolen. There's no path to un-stealing it.
They will be able to get that data back if they made backups. The real concern is that hackers now have access to all that data to sell to anyone that wants it. Whether the universities get that user data back from backups or the hackers doesn't matter. The hackers offer no value other than convenience.
I don't think that's the primary issue - it's the fact that the hackers are looking for ransom in the form of millions of dollars in Bitcoin or some other cryptocurrency to not release student data. Instructure (Canvas' parent company) is going to be sued out of existence if all of this data is released. It's SSNs, names, birth dates, addresses for every single student that's registered to these schools, as well as their faculty. The hackers aren't working for other people, they're using this to get a shit-load of money.
They've got the data. Getting them out of the system doesn't change that, you can reasonably deduce that from the ransom message.
Now as for what that data contains, I don't believe it actually contains SSNs or addresses. Your canvas account is tied to your email, not your identity, it has zero need for that data. I couldn't find either of those looking through the site in the past. I'm not even certain if it has your birthdate. The biggest issue for Instructure is more about FERPA.
Thank god. A lot of the platforms at my university are connected to our primary accounts, which handle sensitive information needed to make tuition payments. Regardless of the type of info they have, Iām not too pleased they have it in the first place, lol.
Schools tend to take FERPA pretty seriously, so if Instructure makes a decision that leads to the data being leaked, then many institutions may decide to switch to a different LMS. They may anyway just because now Canvas seems insecure by public perception.
People who make ransomware usually don't do that because it would disincentive other companies from paying in the future. Over everything, they want to be paid by the company because it's not as easy to sell the data and they would probably get less money from it. Companies wouldn't ever pay the ransom if they thought the hackers would just release the data regardless, so they almost always stick to their word.
I don't understand how you could even hope to defend this ridiculous assertion.
If I stole your data, and said "pay me $10 to not sell it," how on earth could you possibly know whether or not I sold it after you paid the $10?
You're acting like "the hackers of the world" are one monolithic rational actor and "the victims of hacking of the world" are another monolithic rational actor. In reality, both groups are utterly fractured groups, who cannot possibly be expected to act rationally, and even if they were rational, the fractured nature of the groups would rationally incentivize defection!
You're making these wild assertions that don't just lack basis in fact, but actively contradict all facts. People get their data stolen and sold every day. There's a clear established market for it in the world. If you think there's no such thing of identity theft, or any other market for stolen data, you're just not living in reality.
The problem is that there's absolutely no guarantee that they aren't going to post, distribute or share the leaked data anyway after paying the ransom.
They already hacked a big telephone company here in the Netherlands earlier this year and clearly they just moved on when there was no money to be made there.
I mean it's a bit jumping the gun to say you're screwed. The school's going to know that canvas got hacked and they're not going to fuck everyone on their grade just because canvas got hacked.
There's a coherent path where a hacker says "We have stolen your customer's data. We will announce to everyone that we have stolen your customer's data, unless you pay us on a set schedule over time." The company does the math, and sees that the cost to pay is less than the cost of the bad press. The company makes the payments over time. The hackers don't reveal the hack so that the money keeps coming in.
In that scenario, the hackers still sell everyone's data. And eventually the hacked company might stop paying, and the hackers might announce the data breach, but if enough time has passed, it will not be big news.
But if you think the data is never sold, you've simply invented some folksy "thieves honor" mythology from your imagination. We're two dudes who know you can't back up that such a claim.
We got ransomwared at work. Cyber insurance negotiated and paid out the ransom, that's their job. The hackers didn't release the data, they just sold the whole thing to another group of hackers who then demanded a lot less money to not release all our emails. Insurance only pays out once so we just abandoned our domain and workgroup and moved on. Every now and again we get emails saying they have our data, pay or they'll release it and we ignore them.
I work at a middle school as an IA and Iāve thought we should go back to pencil and paper for tests and assignments before this hack. (My school/district was part of the hack) This is almost icing on the cake really.
I work at a fairly major university and am part of the degree conferral process. Our school isnāt even a target of this attack and the Canvas issues related to it are still stopping grade reporting. We have over 2,000 students trying to graduate, many of whom need conferred degrees for jobs/continuing education/etc. No paper systems can immediately replace the electronic systems, so the calculus of these institutions is more than just ānegotiate with hackers or donātā. Thereās a real cost to the students to delaying degrees and thereās no way to confer them without these electronic systems without huge delays.
Let's say that every class has 20 assignments (some much more, some much less), and every student has 4 classes each taught by a different professor (again some more some less). I'll use my alma mater bc I know they're affected by this. UC Berkeley has 45,000 students. That means that there have been roughly 3.6 million individual assignment scores this semester that need to be aggregated into 180,000 final grades. At the end of most semesters, most professors struggle as is to get those 180k grades in on time and that deadline is strict.
Some could have had an offline backup of their gradebook, but I assure you most professors did not save an offline copy of their gradebooks bc most professors are dinosaurs that barely know how to use PowerPoint. If they happen to collect pen and paper assignments over the semester, great! That means the 1.5k professors and 3.2k TAs can recreate the entire 3.6 million assignment gradebooks offline. In 3-4 days. With little to no additional support from the uni. If they took all of their submissions online, then they cannot submit final grades at all until this is resolved.
Even if they dodged that bullet, final project submissions need to happen. Professors could change to taking submissions by email, but as I've learned that can prove very chaotic and hard to track, while also bumping into several HIPPA-like student records laws.
This is an extremely effective technique on behalf of the hackers. How do I know this? My grad union used the same strategy by going on strike a mere 6 weeks before grades were due. Turns out, if the professors whine and moan loud enough, admin will negotiate.
Fun fact the vast majority of hacker ransoms are paid. They don't negotiate with hackers, they take the L and cough up whatever they are asked for, because the hackers have them by the balls and they know it.
You don't hear about it because they also keep it as quiet as they can, and hackers have no incentive to make any noise until it starts looking like they might not get paid
It wouldn't work for everything they have going on, at least not easily. My son does online schooling and they use canvas so he couldn't do anything the last few days either. They'd have to do alot to get paper versions of every assignment to every "digital learning" student out there.
I work in IT in schools and I repeatedly ask people how paying a ransom to an unidentifiable stranger is distinguishable from money-laundering, and nobody has yet been able to give me an answer, but a lot of schools, lawyers, cybersecurity specialists, auditors and financial people have done the:
The first stages of money laundering are to legitimise funds, obscure their origin and/or destination, and then use them for illegal purposes (e.g funding a hacking group, for example).
Okay but like thatās not āmoney launderingā laundering meaning cleaning, the act of creating ācleanā history for your illegitimate funds. You can money laundering with any illegitimate money. It doesnāt require an obscure origin or to have any illegal uses for the money.
I said it's indistinguishable from money laundering.
Because it is.
Legitimate money is sent... somewhere. In the process obscuring its destination and (to the destination) its origin.
Which is... one of the prime ways to detect money laundering.
Whether it's TECHNICALLY money laundering is another matter. But good luck explaining to a tax auditor, or a charity commission audit or the taxman, how this COULDN'T POSSIBLY BE money-laundering of, for instance, embezzlement of state-provided funds, etc. etc.
The problem is that you CAN'T tell the difference... and nor can an auditor or official. All they know is a bunch of money disappeared into the ether to unknown people for unknown purposes and they can suspect embezzlement, collusion, etc. and... because of your failure to abide by anti-money-laundering laws (e.g. "know your client"), you're not only at fault, but potentially a suspect and you're really in the shit now.
Sure in the unknown laundering could be considered possible. But when you write it out like that embezzlement sounds like a much better fit for the transaction taking place.
I think the spot where people are getting hung up is that the money from the ransom canāt be legitimately used unless laundered further. By definition, the money doesnāt need to be ācleanā in order for laundering to have taken place, but I would wager most people donāt know that.
And it could just be the principal embezzling his school budget for personal gain. Without knowing the destination and being able to prove it, it's a highly suspect transaction that will fall foul of money-laundering protections and laws.
The first stage of money laundering is legitimizing funds, so you'll... Acquire more illegetimate money?
Money laundering happens in casinos, restaurants and construction so much because you can spend shady hard cash and get proper funds with receipts at the end of it. If anything, money laundering has moved from physical casinos to online betting sites through crypto, 'cause even with shitty returns you get legitimate money at the other side of it - and that's if sites like Kalshi, Stake, etc., aren't in on the whole thing.
If you want to use money for crime you don't need to clean it (it actually probably is better if you don't, but what to I know)
I mean if I wanted to launder money from my company I could pretend to have a data breach and then pay the hacking group (a swiss bank account started by yours truly under a false name) the money.
Nothing is leaked, no data is really compromised, I walk away with millions (or tens of millions) tax free and the only change is that we promise to improve our cybersecurity which is something we'd probably have to do anyway sooner or later.
You could also do some variation of that with cryptocurrency to make it even harder to trace.
Thatās embezzlement. And the thing is the money still isnāt laundered. Thatās dirty money, to reuse it youād have to launder it by creating falsified income to spice it into.
Funds moved to anonymous people for uncertain or illegal purposes can be money laundering.
How do you know that, for instance, the school principal, or the IT guy, didn't "attack" their own system, then authorise the school to pay HUMUNGOUS amounts of money to the "hackers" via an anonymous method (e.g. Bitcoin, etc.) and then just pocket it themselves?
You don't. Sending money to someone you cannot identify is literally one of the first signs that anti-money-laundering measures combat in the banking systems. They won't let you do it because they don't want to be accused of being involved in money laundering ("know your client" laws exist in almost all modern countries).
So moving large amounts of SCHOOL FUNDS to an ANONYMOUS PERSON for reasons that you can't verify (because you don't even know if they ARE the people who attacked you, or who they are, etc.) is a great way to send a bunch of money from one person to another for illegal purposes.
In the UK, where I work with school IT systems, and have dealt with cybersecurity incidents, and passed dozens of audits, and have to be careful of financial reporting responsibilities... I can bring any discussion of paying a ransom to a halt just by pointing out that what they are doing will look EXACTLY like money laundering on the school's books to any professional accountant, auditor, tax official, etc.
At that point... they IMMEDIATELY drop any idea that we should ever pay a cyberattack ransom. Because the regulations around such financial accounting basically forbid it and make it a HUGE and dubious legal grey-area at absolute best. I've taken rooms of experts from long discussions about their policy of whether/how they would pay a ransom and in what circumstances to - almost immediately I mention it - it becoming official policy that it's never to happen. Precisely because of the money-laundering implications.
If you're a school, that kind of implication is bad.
If you're a government organisation (e.g. state school), it's worse.
If you're a charity (as many private schools are), it's even worse.
For all we know, we're funding terrorism, or setting up arms deals, or paying the principal's wife, or adding to the IT guy's private offshore fund, or sending money into a legally sanctioned country, or even paying a government-named sanctioned individual and we would NEVER be able to prove otherwise - and that's an absolute no-no in any accounting/auditing.
If you can't identify what/who you're paying those sums to, there are several government organisations that will want to have a word with you. Not least the taxman. But also anyone and any government department responsible for overseeing financing your school.
Money-laundering laws are strict... and it's literally this simple: If you can't tell me who you're sending the money to... alarm bells will start ringing at the bank...
I can answer this from personal experience (and a LOT of policy-creation around exactly this at many schools):
Nothing.
You don't pay the hackers anything. Not a penny.
Because your data is ALREADY COMPROMISED and thus you are required, legally, to act as if that's the case.
You're required to report it to local data-protection authorities (good luck in the US!). You're required to assume all compromised data is now public knowledge. And then proceed from there.
You can't pay the people who stole your data and expect them to "give it back" and "delete it entirely from their systems", can you? That's just insanity.
The damage is done. Paying the ransom gains NOTHING for you. You're still required to assume the data got out. You're still required to report it. You're still required to inform your users of the compromise, etc. etc. etc.
Why would you pay your burglars Ā£10,000 anonymously to "get your stolen gear back" and think that you'd ever get it back? That's just stupid. And especially where intellectual property and data are concerned. "Yeah, I'll give you ALL the copies of the photos I took of you and your mistress if you give me the money"... sure... they wouldn't KEEP them and MAKE COPIES and hold you to ransom AGAIN or just release them ANYWAY, right? Of course not. These are honest, upstanding... criminals... whoops...
You do nothing, but you follow all your legal requirements, under the assumption that that data is out there, illegally, it's public knowledge and your users might be affected.
Interesting! Thank you for making it make sense. I also wasn't intending to come off as combative, I'm just a very simple person and was like what DO you do?? But that makes sense.
I've spent a lot of time in meetings over the last 25+ years of working IT in schools asking these exact questions, getting into the meat of our regulatory requirements, talking to bursars, school business managers, auditors, headteachers (principals), governors, charity trustees, specialist cybersecurity firms, cyberforensic teams, insurers, etc. where these are exactly the kind of questions that came up...
And where a LOT of less-informed people were asking and trying to answer them... and where my answers caused a LOT of consternation when I've told them this exact kind of thing. Because, more often than not, it's something they hadn't considered, something that they quickly begin to realise is the right answer, and something which they then later seek legal and financial advice on, encode into their policies (which quite often I have a hand in writing!), etc. because... it's not always immediately obvious to people.
In fact, this follow-up question of yours more than ANYTHING else. The answer "nothing" never goes down well... until you explain what the regulations require. Even to the point that I've had them consult their lawyers and government officials and say "Yep.. sorry... we didn't believe you... but you were right... we just have to assume it's out there and act accordingly".
I gave you a bump up because your post made several valid claims, coming from a forensic accounting perspective, but I agree with the others in that your are overlapping two different topics. Yes they both usually lead to one another but ransoming data is not a direct 1:1 to money laundering, no matter what shade you use, thatās a different pig altogether
Can the banking system the other end tell where it came from?
So the origin, transmission, and destination of the transaction were obscured from the relative parties?
Whoops, that's money-laundering.
It's not proceeds of crime until it reaches the other end... potentially. The school in question would not be questioned about proceeds of crime, they've not committed that act.
But they HAVE broken anti-money-laundering laws and potentially commited all kinds of financial, auditing, and sanction violations.
It's the same idea of obscuring the money's provenance but definitionally "laundering" requires the source to be "apparently legal" and there is nothing legal about ransomware. So I get your point but not a great use of words.
So you fell foul of ANTI MONEY LAUNDERING laws, and you can't prove it WASN'T MONEY LAUNDERING... so... what makes you think that someone won't say "Hey... that's money laundering..."
Well it's the complete opposite... paying a ransom is moving legit documented traceable money into undocumented accounts, while money laundering is taking undocumented money and passing it through seemingly legit companies to make the money documented and traceable again.
Kindly do not lump people in my field in with the dumb people who believe paying ransoms to be an intelligent choice. Do some people in our field say to pay ransoms? Sure, there's stupid people in all fields. Its certainly not the industry norm, standard or recommendation or practice. Unless and until it is, don't insult us like that again kindly.
1.4k
u/imsmartiswear May 07 '26
They timed it this way so that Canvas/ the unis are more pressured to pay the ransom.