Northwestern Student Data Hacked
Bad Governance all around; the Ed Tech business is a mess
I teach a class once a year at Northwestern in the Medill/Integrated Marketing Communications program. The topic of the class is data governance for marketing and journalism students — themes include privacy, artificial intelligence, and information security. Yesterday, we got an unfortunate real-world example.
For almost three hours (from 2:40pm to 5:37pm), students and faculty trying to access Northwestern’s Canvas system were greeted with the following ransomware message:
Canvas is Northwestern’s learning management system (LMS) — it’s where students submit homework, receive feedback/grades, and access course content. If you went to college more than 10 years ago, you probably used a similar system called Blackboard. This is the equivalent of that.
Despite Instructure’s status page claiming Canvas is back up, as of right now, it is still down at Northwestern. The Provost’s response was to issue hastily written guidance to staff — use Microsoft Forms? It’s pretty clear that Northwestern didn’t have a disaster recovery plan in place.
This outage is impacting almost every college and university in the United States in some way:
Canvas is run by a large ed tech company, Instructure. In 2024, they were bought by a private equity firm KKR for $4.8B.
Instructure’s status page provides a history of events, including a claim on May 2nd that they resolved all the issues. They claimed student data was ex-filtrated but seemed uncertain about exactly what.
Update - We are providing an update on the security incident we advised you of yesterday. While our investigation continues alongside our outside forensics experts, at this stage we believe the incident has been contained.
Here are the steps we have taken since we became aware of the incident. We have:
- Revoked privileged credentials and access tokens associated with affected systems
- Deployed patches to enhance system security
- Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused
- Implemented increased monitoring across all platforms
While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.
Thank you for your patience as we work to resolve this matter. We sincerely regret any inconvenience or concern this may cause. We will continue to keep you apprised as our investigation progresses. For up-to-date information on specific systems, please continue to visit our status page.
Steve Proud
Chief Information Security Officer
May 2, 12:46 MDT
Given how deeply these hackers infiltrated Canvas, they likely had access to the systems for weeks or months — it’s plausible they could’ve ex-filtrated everything. Not just student names and emails but also exams, essays, grades, feedback, and communications. The implications to education could be huge - that dumb college essay you wrote 10 years ago could now be used for blackmail or worse, dumped out on the internet, wikileaks-style.
This is a fundamental violation of trust and privacy in higher education — why should any student submit an intellectually risky paper ever again if there’s some chance it ends up in the hands of a hacker? As teaching faculty, how can I ask my students to take that risk? The introduction of AI has started pushing colleges and universities back to blue books, and this (hopefully) should push that the rest of the way.
This isn’t the first major data breach of a vendor in the education business. In January 2025, PowerSchool was hacked, and the hacker ex-filtrated vast amounts of District 65 student data including:
Student name and District 65 ID number
Student address
Student birth date
Guardian email address
Transfer dates for the last active school year the student was enrolled
Student lunch PIN (used only internally)
Free/reduced lunch status
Health concerns (examples include allergies; glasses; medical conditions such as asthma, ADHD, epilepsy)
If you had a student in District 65 from 2015-2025, your child’s data was in that breach. PowerSchool hired an auditor to assess the damage, claiming that the data never made it to the dark web. But you can never really be 100% sure where the data went. The hacker was eventually arrested and sentenced. PowerSchool has been involved in ongoing litigation involving the hack and just settled a case for $17M involving “illegal wiretapping” with the Chicago Public Schools.
I’ve written about the educational technology business a few times. School Districts and Universities spend an enormous amount of money on technology - District 65 spends about $3.9 million/year on staff and infrastructure, including $290,362/year on PowerSchool. It’s not clear how much Northwestern pays for Canvas, but it’s probably six or seven figures.
I love technology but it’s increasingly a liability in the education business. Good governance dictates taking a serious look at how we’re using these platforms and the risk we’re exposing our students to, whether a kindergartner or a college senior. We’re the adults in the room.