On May 7, Montgomery County Public Schools cut students off from access to myMCPS Classroom, otherwise known as Canvas, after the extortion group ShinyHunters unleashed a data breach on Canvas’s parent company Instructure. The group threatened to leak data tied to nearly 9,000 schools worldwide unless demands are met by the end of the day on May 12. This outage comes in the middle of AP and IB exam season, when students rely on Canvas for study tools and last-minute review materials.

The shutdown, voiced through a districtwide announcement Wednesday evening, came a few hours after Canvas dashboards across the country, including those at RM, showed a defacement message from ShinyHunters threatening to leak data. By around 4:15 p.m., Canvas replaced the dashboard with a notice stating that “Canvas is currently undergoing scheduled maintenance” despite no such maintenance being announced in advance. The platform is inaccessible to both teachers and students countywide.

In a message to families, MCPS announced, “Out of an abundance of caution, access to the system will remain unavailable while we work to better understand the full impact of the incident and any potential vulnerabilities involving information connected to the platform.” The district urges students not to attempt to enter Canvas until the issue is resolved.  

“My students were in the middle of a common writing task, so they need to get onto Canvas. We also have run out of paper. I am probably going to have a community builder day tomorrow, so the kids can have a break,” said Sarada Jasti Currie, a social studies teacher at North Bethesda Middle School. “I think that us teachers will have to figure it out on our own, or wait until the last minute. It will be a little stressful.”

The Wednesday outage follows an earlier breach on May 1, after the group exploited a vulnerability in Instructure’s systems on April 30. This extortion group, founded in 2019, is known for its “pay-or-leak” structure, which pressures affected companies and organizations to quickly pay ransoms to protect their users’ data. The group has previously targeted Microsoft, AT&T, Ticketmaster, Qantas and universities including Princeton and the University of Pennsylvania. 

ShinyHunters claims to possess names, emails, student ID numbers and private chats between teachers and students. Instructure has stated that no passwords, dates of birth or financial information are believed to have been included in the leak. A list of affected institutions published by ShinyHunters includes schools around the world, reportedly including schools in Maryland. 

The outage underscores the dangers of MCPS’s reliance on a single third-party platform. Canvas, owned by Instructure, is the most popular learning management system (LMS) in the country, serving over 30 million students across K-12 and higher education settings. Apart from StudentVUE, managed by Edupoint Education Systems, Canvas is used for practically all other academic functions across all schools, including online assignments, instructional tools, homework and messaging. 

“For me at least, everything revolves around Canvas. Almost all of the assignments that I’ve had in MCPS have been through Canvas, and also review guides and materials in modules for AP and IB tests. Students who have scheduled exams coming up need those documents to study,” junior Obi Schneider said. This singular outage halts academic operations countywide, a concentration risk that reveals the weakness of a system with no redundancy. 

MCPS has not stated when Canvas will be restored, but said that “additional information on how students can access resources and functions in myMCPS Classroom will be provided as soon as possible.”

“In terms of due dates and deadlines, we should definitely be compensated for our lost time,” Schneider said. “The county should mandate an extension to assignments or find a way for us to access our assignments outside of Canvas.”