Instructure, the US-based company behind the learning tool Canvas, which is used by thousands of schools and universities in the US and UK, has suffered a serious cyber breach.

The cybercriminal group ShinyHunters have claimed responsibility, although this has not yet officially been confirmed. The group says that it has stolen 2.6 terabytes of data, affecting over 9,000 schools and universities. Canvas is widely used in both the US and the UK, where it is deployed at universities including the University of Birmingham, London Business School, and the University of Wolverhampton.

"While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions," said Steven Proud, Instructure chief information security officer.

The breach could have far-reaching results, as Canvas is a popular learning management system used by schools, universities and businesses to create and deliver educational courses. The platform is used widely by teachers to host content, grade assignments and more.

Third parties are now a prime target

Third-party companies in the education sector such as Instructure have become prime targets for cybercriminals. In September, the company was previously targeted by ShinyHunters during a series of attacks.

At the start of last year, education software company PowerSchool suffered a breach exposing sensitive student and teacher data, including special education status, mental health details, disciplinary notes and parent restraining orders. The cybercriminals stole data belonging to 62 million students and 9.5 million teachers. The company then faced multiple lawsuits for allegedly weak cybersecurity practices, such as a failure to use multifactor authentication, leading to the breach. In February of this year, PowerSchool was reported to have settled at least one class action lawsuit for $17.25 million.