Dependency attack takes down ed-tech platform at scale

Educational institutions around the world were rocked by a recent breach of a platform that serves every level, from the lowest grades to universities. In a textbook ransomware group maneuver, Shiny Hunters struck Canvas, the largest learning management system (LMS) in the United States, when it would hurt the most: during finals week. 

And the lesson was one that security professionals should have already mastered: Software supply chain risks can quickly turn into operational risks. In this case, a solitary flaw in a single SaaS provider grew into a major security event that spread across gradebooks and coursework for millions of teachers and students.

David Brown, associate director of cyber intelligence and response at NCC Group, said the cascading nature of the attack was what mattered. 

“The breadth of impact is what makes it stand out — not just the volume of data involved, but the way a single compromise can cascade across an entire sector.”
—David Brown

Here’s what you need to know about the Canvas supply chain attack – and a five-point refresher course on supply chain security.

[ Download today: Software Supply Chain Security Report 2026 ]

A cascade of consequences

Canvas is an LMS with more than 9,000 institutions on its roster. Shiny Hunters’ attack gained access to the data and accounts of 275 million users, both teachers and students. The entire platform was shut down on Thursday, and Canvas’s maker, Instructure, reported that it had to shut down its Free-For-Teacher account system indefinitely to do a security review on a flaw that the criminals exploited. 

The data extortion scheme came to a head on May 12 when Instructure announced that it had reached an agreement to pay the criminals not to expose data publicly. By then, Canvas had gotten most of its infrastructure back online, but many school districts and universities have kept access restricted or turned off entirely as they conduct their own security reviews. 

This was effectively a classroom kill0switch for many instructors who depend on Canvas to do everything from managing their gradebooks to organizing course learning materials. Many teachers lean on the platform to create and run their assessments, meaning that those who had prepped their final exams in the platform have been left to scramble for alternatives at the last minute. 

Steve Cobb, CISO at SecurityScorecard, said the timing of the attack added a lot of pressure.

“These institutions are now in difficult positions, with sensitive data at risk and disruption hitting at one of the worst possible times.”
—Steve Cobb

Software supply chain lessons for all

The fallout from this incident remains uncertain, and at this point no technical details are publicly available about the root causes of the attack or about the vulnerability that was exploited in the Free-for-Teacher environment. Even so, the consequences alone offer a refresher course software supply chain security.

1. Supply chain visibility matters

Software ecosystem risks are more than the sum of their parts. The way components are assembled into software that is then embedded in organizational operations can rapidly amp up risks.

The Canvas breach shows once again that all organizations need to keep tabs on third-party software risk, said Tony Javis, vice president and field CISO at Darktrace.

“Visibility of the security posture of your entire supply chain and how they interact with your own systems is critical in today’s world. If you don’t have that visibility, then the risk to your own systems because of one of your supplier’s vulnerabilities is incredibly heightened.”
—Tony Javis

2. No procurement without security checks

Organizations need to sharpen their procurement processes by scrutinizing the security practices of every potential supplier. 

Too often, procurement decisions are based mostly on functionality and price, with security treated as a lower priority, if not neglected altogether, said Darren Guiccione, CEO and co-founder of Keeper Security. 

“Institutions that store sensitive data through third-party platforms have an obligation to understand how that data is protected, to ask tough questions during procurement and ongoing reviews, and to ensure contractual accountability exists.”
—Darren Guiccione

Procurement reviews need to extend to checking the components and code used by critical SaaS providers. Educational organizations are just as much at risk from SaaS tech as those in any other industry; studies show that nearly all of EdTech’s codebase — 95% — is open source. Canvas itself is an open-source LMS, as are the supporting projects that Instructure maintains. 

4. Monitor SaaS vendors for security changes

Nonetheless, organizations should keep in mind the benefits to be gained from SaaS risk transfer, a point made by Timothy Chester, vice chancellor for IT at the University System of Georgia, in a post on Substack. 

“Outsourcing risk through contracts remains prudent. In the Internet-connected age, all software is vulnerable; the question is which arrangement makes that vulnerability most manageable.”
—Timothy Chester

Chester recommends that organizations “red-team every technology service the institution operates or depends upon,” looking for anything resembling the root cause of the Canvas breach or any others. He also suggests that they periodically ask each SaaS vendor how its capabilities are evolving. “What new capability has been added to the platform in the past twelve months, and how have the integration points and data pathways changed as a result?” he wrote. “Feature velocity is not free. New ways into a system are also new ways out, if attackers get in.”

5. Don’t neglect resiliency planning

Risk is always with us, and while transferring tech risk to SaaS vendors can be a good strategy, it has to be remembered that any operational risk belongs to the outsourcer. 

Brandon Blankenship, CISO at ProCircular, said this fact illustrates that it’s incumbent upon business continuity planners to have a real plan involving more than contacting the vendor and holding it to its service-level agreement.

“Real resiliency planning means discarding who is at fault and putting in place some viable workarounds when the ‘too big to fail’ external platform actually fails.”
—Brandon Blankenship