Source: Radio New Zealand
University of Auckland computer science lecturer and technology consultant Ulrich Speidel. RNZ/Luka Forman
A computer science lecturer warns that universities are much more vulnerable to having their systems hacked, after the learning portal many use had its security breached last week.
Last Friday, the Canvas system was hacked by a “malicious actor”, and names, email addresses, phone numbers and messages between students and staff were put at risk.
The system, used by about 9000 institutions worldwide, was out of action for about two days, before it was brought back online.
University of Auckland computer science lecturer and technology consultant Ulrich Speidel said the system was now far more vulnerable to future hacks, because the hackers had got inside the programme.
“The moment you’re on the inside and you can actually see the code that’s there, it makes it much, much easier to look for security holes.”
Because of that, he worried the hackers could strike again soon.
“We might be seeing those hackers come back in days or weeks to come, once they’ve looked through the code that they may have been able to look at.”
Speidel said his department was planning for how it would teach students without Canvas, if there was another hack.
He had raised concerns about Canvas in the past, after noticing that students could log into one account from different locations during an exam, allowing them to bring in outside helpers.
He said the response from Instructure, which runs Canvas, was to ask him to put it on to the community mailing list and, if enough people supported it, they’d fix it.
“That’s not really the attitude that I’d expect from a supplier who prides themselves on providing a secure system.”
Earlier this week, Instructure said it had “reached an agreement” with the hackers.
As part of the agreement, the stolen data had been returned, along with digital confirmation that the hackers had destroyed the data on their end.
Speidel said cybersecurity was not usually a priority for organisations commissioning a web app from a third party, but it should be.
“Universities are not alone in this… people need to ask, what’s the vendor’s security stance? What experience do they have in terms of security?”
Cybersecurity commentator Anthony Grasso agreed that organisations needed to take cybersecurity more seriously and legislation was needed to make that happen.
“Right now, there is no reason for them to really put a lot of effort into cybersecurity, in terms of the law.”
The government has made a Cyber Security Action Plan, which included considering introducing penalties for data breaches under the Privacy Act.
Grasso said that could mean, in future hacks, organisations that had their data breached could be liable. In a case like the recent Canvas hacks, that could be the universities themselves.
“I would imagine the privacy commissioner in New Zealand would be fining universities, because ultimately, they’re outsourcing this part of their business, so universities still really are held accountable for the data.”
The Justice Ministry, which leads work on the fines, said there were various options for liability, which it would provide in its advice, and couldn’t comment on liability in the Canvas example.
Grasso agreed with Speidel that the Canvas hackers would likely be waiting to strike again.
Universities and Instructure respond
A University of Auckland spokesperson said Canvas was a third-party teaching and learning portal, used by 9000 teaching institutions worldwide.
They said the hack was not a breach of the university’s systems and no other systems were at risk.
Victoria University of Wellington chief operating officer Tina Wakefield said the university invested in industry-leading tools to monitor and contain cybersecurity threats.
“We will conduct a full internal inquiry into this incident to ensure we are prepared for the future.”
An AUT spokesperson said it had both incident management and cybersecurity plans for hacking situations.
“The incident has highlighted our ongoing work to keep staff and students informed about risks, and we continue to roll out training, including flagging phishing risk that can result from leaked information.”
They said the recent incident highlighted ongoing work to keep staff and students informed about risks including training about phishing attempts that can result from leaked information.
Instructure, the company that operated Canvas, referred RNZ to an earlier statement from its chief executive officer.
“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom… I’m sorry for that.”
“Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised.
“We’ll give you clear guidance, if any action is required on your end. Right now, there’s nothing you need to do.”
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand