Roanoke City Public Schools is reconsidering the division’s use of the online education platform Canvas after a massive data breach left the system offline and student information exposed earlier this month.
The division was one of hundreds of K-12 systems and colleges across the country impacted after hackers breached Instructure, the company behind Canvas, which schools use to manage assignments, track grades and deliver course content.Â
The cyberattack left varying levels of access to Canvas after hackers gained initial unauthorized access April 25 through May 8, when Instructure restored access to most users.
Roanoke City Public Schools removed access to Canvas as soon as it was notified of the breach, spokesperson Claire Mitzel said, and didn’t restore access until May 13, when the division’s technology department felt it was safe for use. Some Virginia school divisions began reusing the platform once it was back online on May 8.Â
The software remains disconnected from the district’s own student information system that houses student data like Social Security numbers, addresses and contact information, Mitzel said.
As soon as RCPS was notified of the cyberattack, schools “[discontinued] Canvas use until additional security controls, system reviews, and data-source disconnections were completed,” Mitzel said in an email.Â
Roanoke City Public Schools began using Canvas in 2020, when, like many school divisions, students and teachers pivoted to online learning while schools were closed during the pandemic. The division has continued to use it in the years since.
Approximately 7,000 Roanoke middle and high school students use Canvas, though how the platform is used varies by teacher.
For some courses, students may take a quiz or upload assignments to be graded. Some teachers also house course materials in Canvas and use it to post assignments and communicate with students.
Students enrolled in any online course offered through Virtual Virginia, the state’s online platform, use Canvas primarily for accessing coursework, assignments and communicating. Students sometimes take online courses because their home school doesn’t offer a specific advanced course, or to make up a credit and to fulfill graduation requirements. The Virginia Department of Education requires high school students to successfully complete at least one virtual course to graduate.
Canvas is provided free to school divisions through the Virginia Department of Education, which negotiates with the vendor.
Officials with the Education Department did not respond to questions or provide information on how many Virginia school divisions use Canvas or how the platform was vetted or funded.
Students don’t have the option of whether to use Canvas for courses, but K-12 educators could often pivot more easily to alternative, in-person options when access was limited during the breach, compared to college settings, where some courses centered around access.
Mitzel said Roanoke students, some of whom might have been in the process of working on end-of-the-year assignments, won’t be penalized for any assignments due or affected during the period Canvas was offline.
RCPS is evaluating its use of Canvas as part of its own plan for maintaining continuity of learning when there are problems with a vendor, Mitzel said.Â
A specific alternative hasn’t been identified, but any new vendor would be evaluated through the division’s standard purchasing and approval processes, Mitzel said.Â
Since Canvas is a third-party vendor, RCPS is not involved in any investigations into the security breach and also was not able to tell families if or how many students and their information were affected.Â
Some school divisions across the state have tried to reassure families.
In an email on May 8, Alleghany Highlands Public Schools notified families of the incident and said “there [was] no evidence that AHPS systems were impacted or that sensitive information such as passwords, financial data, or government identifiers was compromised.”
“The incident may have involved limited user information, including names, email addresses, student ID numbers and message history. AHPS is working with Instructure, the provider of Canvas, and is continuing to monitor the situation while reinforcing phishing awareness among students and staff,” the message continued.
