Regarding the cyberattack on the Canvas learning platform
The supplier of the Canvas learning platform was subjected to two cyberattacks on 29 April and 7 May. On this page, you will find a summary of the incidents.
What has happened
On 29 April, the supplier of the Canvas learning platform discovered that it had been subjected to a cyberattack in which personal data is likely to have been compromised. In total, 9,000 higher education institutions worldwide may have been affected by this attack, and personal data relating to 275 million users is suspected to have been leaked.
Following this initial incident, Canvas continued to function as normal.
On 7 May, Canvas was hit by a further cyberattack. This was detected quickly and the supplier shut down the learning platform. No further data was leaked in this attack.
Who is affected by the incident?
We do not yet know exactly who has been affected by the personal data breach. However, anyone who has or has had an account on Canvas via the University of Gothenburg may be affected, i.e. current students, former students, current staff and former staff.
What data is affected?
The personal data that the supplier states may have been affected is:
- Name
- Email addresses of students and staff at the university. This primarily concerns your GU email address, but if you have chosen to link your GU email address to a private email account, this account may also be affected.
- Student ID number. This may mean that data in the field containing personal identification numbers is affected. However, we have not yet received confirmation of this from the supplier.
- Personal messages between users on the Canvas platform.
- Information regarding course enrolments in Canvas.
At present, we do not know which of these data may have been leaked or to what extent The supplier is continuing to investigate the incident.
The supplier states that no passwords have been affected.
Measures taken by the supplier and the university
The supplier has implemented security enhancements to restore the security of the platform and thereby address the underlying vulnerability. The supplier has also engaged external experts to investigate the incident and has notified law enforcement agencies.
The supplier is actively working to determine the scope of the incident and will provide updates as new information becomes available.
The supplier’s information (Instructure.com)
The Swedish Research Council, which coordinates the Canvas learning platform for Swedish higher education institutions via Sunet, has reported the incident to the police.
Measures taken by the University of Gothenburg:
- We have reported the incident to the Swedish Authority for Privacy Protection (IMY) and to the Swedish Civil Defence and Recilience Agency (MCF)
- We have published general information on the Staff Portal, the Student Portal and in Canvas.
- We are continuously monitoring the threat landscape and adjusting our technical security measures as necessary.
- We are implementing enhanced technical measures on the learning platform.
- Increased readiness to deal with enquiries regarding the incident.
- We are continuing to monitor the situation and are in regular contact with the Swedish Research Council/Sunet, the supplier and other higher education institutions.
Steps you can take yourself
We urge everyone to be extra vigilant against phishing attempts. Look out for grammatical errors, inaccuracies regarding, for example, titles, contact details, the tone of the message or the content itself, as well as requests to disclose your login details via email.
Do not click on links or open attachments unless you are certain that the content is legitimate. If you are in any doubt, please verify with the sender via an alternative channel.
Contact regarding questions about the incident
Contact Servicecenter via servicecenter@gu.se.