Global cyberattack impacts more than 9000 institutions

The RACGP has assured its online training platforms are not impacted by a cyberattack on popular learning management system, Canvas, which is affecting multiple education providers across Australia.
 
News of the cyberattack broke earlier this week when Canvas’s parent company, Instructure, announced it had ‘experienced a cybersecurity incident perpetrated by a criminal threat actor’.
 
The incident involved Canvas Learning Management Systems (Canvas LMS) – a cloud-based platform used by 9000 institutions globally, including universities, schools and other education facilities in Australia.
 
Several education providers have since made public statements on the impact of the attack, with some reporting minor disruptions and others disclosing they’d received a notification from Canva.
 
A notice on the Australian College of Rural and Remote Medicine (ACRRM) website confirmed that ‘due to the global Canvas cyber security incident, ACRRM recommends users do not access the Canvas platform’.
 
Meanwhile, University of Melbourne confirmed its data had been involved in the breach, while the University of Sydney said it is ‘engaging with the vendor to confirm if any personal data from our community has been compromised’.
 
RMIT University also issued a public statement advising that its data has been impacted.
 
Canvas has advised it is not seeing ‘any ongoing unauthorised activity’ but recommends users take precautionary action and ‘follow security best practices’.
 
This includes enforcing multi-factor authentication on privileged accounts, reviewing admin access, and rotating API tokens or keys where applicable.

While the RACGP’s online training platforms are not impacted, the college has advised members to be mindful of a potential increase in email threats.
 
Advice is also available from the Federal Government’s cyber safety website for individuals and businesses.

Dr David Adam, a GP and member of the RACGP Expert Committee – Practice Technology and Management, said at this stage there is little detail on what information has been lost, or who is at risk.
 
‘Unfortunately, there’s very little that any of us can do about an incident like this. None of our members have any control over the choice of provider and even the institutions have limited ability to assess the cybersecurity of the contracted organisations,’ he told newsGP.
 
And until there were heavier consequences for cyberattacks, these incidents will likely be an ongoing issue, Dr Adam said.
 
‘They will continue to happen until there are consequences for organisations beyond a brief moment of bad press,’ he said.
 
‘The Medisecure breach saw the personal and medical data of thousands of Australians end up in the hands of persons unknown and four years later there has been no attempt at preventing another similar problem, and no impact that I’m aware of for anyone responsible for the breach.
 
‘Our members are constantly concerned about the risk of an incident of this manner, and perhaps it is a good reminder to practice owners and managers to review our use of third-party providers where we have little control or accountability of information security.’

As for Canvas, the parent company says it is taking action following the attack, including increasing monitoring across all platforms.
 
‘While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,’ it said.
 
‘At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.’

For more information on cyber safety, visit the RACGP’s resources.
 
Log in below to join the conversation.

education privacy technology