How to Respond to a Cyberattack on Your Online Learning Platform During Finals
Introduction
When a cyberattack hits your learning management system (LMS) like Canvas in the middle of final exams, chaos can erupt. In a recent incident, the platform went offline after unauthorized activity, and a ransomware group claimed to have accessed data of millions. This guide provides a step-by-step approach to managing such a crisis, based on lessons from real-world events, so you can protect data, maintain continuity, and minimize disruption.
What You Need
- Incident response plan – pre-approved actions for security breaches.
- Communication tools – email, SMS, or internal messaging for fast updates.
- Backup systems – alternative exam platforms or offline assessment methods.
- IT security team – internal or contracted experts.
- Legal and PR support – to handle disclosure and compliance.
- Contact list – of key stakeholders: faculty, students, law enforcement, and the platform vendor.
Step-by-Step Guide
Step 1: Immediately Isolate Affected Systems
As soon as you detect suspicious activity, disconnect the compromised LMS from your network to prevent further data exfiltration. In the Canvas incident, Instructure took the platform offline after identifying unauthorized activity. Your IT team should follow a similar containment protocol. Disable remote access, change all admin credentials, and ensure backups are separate from the live system.
Step 2: Notify Your Incident Response Team and Vendor
Activate your pre-defined incident response plan. Contact your LMS vendor (e.g., Instructure) immediately. They may have already identified the threat actor – in this case, ShinyHunters – and can provide guidance. Also inform internal leaders: the CIO, provost, and legal counsel. Keep a log of all actions and communications.
Step 3: Assess the Scope of the Breach
Work with IT security to determine what data was accessed. In the Canvas attack, the company reported that user names, email addresses, student ID numbers, and messages were compromised, but not passwords, birth dates, or financial info. Your assessment should identify whether sensitive data like grades or social security numbers were exposed. Use forensic tools to analyze logs and affected accounts.
Step 4: Communicate Transparently with All Stakeholders
Draft clear, honest messages for students, faculty, and parents. Explain what happened, what data was involved, and what steps you are taking. In the Canvas breach, schools scrambled to inform users. Your communication should avoid panic but acknowledge the seriousness. Use email, the LMS homepage (if still functional), and social media. Include a timeline for restoration.
Step 5: Implement Temporary Assessment Solutions
While the LMS is offline, final exams may need to be postponed, rescheduled, or moved to a backup platform. Options include:
- Offline paper exams (if possible with short notice).
- Using a secure alternate LMS (e.g., Moodle, Google Classroom).
- Allowing take-home exams with strict submission deadlines.
Be flexible: some schools may extend the exam period. Ensure that any temporary solution still protects integrity – for instance, require proctoring software or honor pledges.
Step 6: Coordinate with Law Enforcement and External Experts
Report the breach to relevant authorities (FBI, CISA, local cybercrime units). The ShinyHunters group operates on dark web forums; law enforcement may help track the data. Also consider hiring a cybersecurity firm to conduct a post-incident review. This step is critical for legal compliance and future prevention.
Step 7: Restore and Test the LMS Before Reopening
Once the vendor confirms the platform is secure – as Instructure did the next morning – carefully restore it. Change all passwords, enable multi-factor authentication (MFA), and scan for any residual malware. Test the system with a small group of faculty before full-scale use. In the Canvas incident, the platform came back online Friday morning, but schools needed to verify stability.
Step 8: Conduct a Post-Incident Review and Update Policies
After the crisis subsides, hold a debrief with all teams. What worked? What could be improved? The Canvas breach affected 275 million people across 8,800 schools, highlighting the scale of risk. Update your incident response plan based on lessons learned. Train staff on phishing detection (often linked to ransomware attacks). Consider implementing regular penetration testing.
Tips for Long-Term Preparedness
- Regularly back up data – store backups offline or in a separate cloud to avoid encryption by ransomware.
- Enable MFA for all LMS accounts, especially admin and faculty.
- Monitor dark web forums for mentions of your institution’s data.
- Have a communication template ready to speed up initial notifications.
- Partner with your LMS vendor for security updates and threat intelligence.
- Practice tabletop exercises simulating a breach during finals to test your response time.
Remember: even the best security can be breached. The goal is to respond quickly, communicate honestly, and learn from each incident. By following these steps, your institution can protect its community and maintain academic continuity even when faced with a cyberattack.