Arlington Public Schools officials are urging school families to take extra care in the wake of a series of cyberattacks against a key online resource used by the school system.
The school system uses Canvas, a learning-management system for teachers and students that parents can access on a limited, opt-in basis.
Instructure, which operates the Canvas system on behalf of school systems worldwide, faced several cyberattacks on April 29 and again on May 7.
At the height of the episode, more than 8,800 educational institutions, including APS, were impacted, according to published reports.
One analyst termed it “the biggest student data-privacy disaster in history.”
In a May 8 message to families, Arlington Public Schools said its Canvas system was back online, with all services operational.
But it cautioned families that there may be further implications. Names, contact information and conversations/content within the system may have been compromised, school officials said, adding:
“At this time, there is no indication that passwords, Social Security numbers or financial information were compromised. However, situations like this can sometimes lead to an increase in phishing attempts targeting students, staff and families.”
“APS will never ask for passwords, login credentials or other sensitive personal information through email,” the school district wrote to parents. “We encourage families and staff to carefully verify the source of any unexpected or suspicious messages before responding or clicking links.”
“We are continuing to work closely with Instructure and will share additional updates if new information becomes available,” school officials said.
In a statement, Instructure officials apologized for a delay in communicating with Canvas users about the incidents, and said they were taking the breach seriously.
“Beyond the immediate response, we’re hardening administrative access, token management, permissions, monitoring and related workflows,” the company said.
The FBI, U.S. Cybersecurity and Infrastructure Security Agency and international law-enforcement agencies are involved in the investigation, Instructure said.
