Cybersecurity Incident Strikes Needham Public Schools, Impacts Canvas Platform
Incident Overview
Needham Public Schools in Massachusetts has disclosed a cybersecurity incident affecting Canvas, an educational software platform. The district received notification of the breach on May 1 and was informed on May 7 that data had been downloaded. A second breach was reported on the same day.
A second breach was reported on the same day as the initial notification.
Data Compromised
According to Superintendent Dan Gutekanst, the accessed information included first names, last names, and email addresses for all students and staff. Additionally, teacher gradebook data linked to the PowerSchool student information system may have been modified.
Response
Instructure, Canvas's parent company, detected unauthorized activity on April 26 and immediately revoked the unauthorized party's access, initiating an investigation. On Thursday, additional unauthorized activity was identified.
In response, Instructure temporarily took Canvas offline to contain the activity and apply additional safeguards. Needham Public Schools disconnected Canvas from PowerSchool to prevent further compromise. The district has requested a complete report from Instructure detailing the data breached or modified.
Scope
Wellesley High School, also a Canvas client, is among approximately 9,000 affected institutions.