Shaw Local

News   •   Sports   •   Obituaries   •   eNewspaper   •   Election   •   The Scene   •   175 Years
Northwest Herald

Canvas cyberattack hits McHenry County school districts

Students are pictured in a file photo working on laptops at Lanphier High School in Springfield.

Students are pictured in a file photo working on laptops. (Capitol News Illinois photo by Andrew Campbell)

By Claire O'Brien

Some McHenry County school districts and McHenry County College use an online system for learning that went down this week following a cyberattack.

Canvas – an online system used by schools and universities to manage grades, course notes, assignments, lecture videos and more – suffered a cyberattack and outage this week, according to the Associated Press.

Woodstock School District 200 said in a message to families Friday, shared with Shaw Local, that the district was notified by Canvas’s parent company, Instructure, Inc., of a data breach.

“The data breach allowed unauthorized access to certain information stored within their systems,” according to the notification.

The system was down temporarily, district spokesperson Kevin Lyons said Friday.

The information potentially accessed included student names, email addresses, student ID numbers and Canvas messages between users.

“Their investigation so far does not indicate that passwords, dates of birth, government identifiers or financial information were involved,” according to the notification.

The district’s security measures include two-factor authentication, meaning staff must verify their identity with a second way like a security key or text authentication “to access their network account and other critical applications.”

Other measures include restricting students’ ability to send or receive emails from outside District 200.

Officials said they also are:

  • Using access level security best practices and internal controls that restrict who has rights to view, add/delete or edit information.
  • Employing automated access management to remove access for employees who leave the district or change positions. 
  • Following cybersecurity best practices, including regular updates, strong password policies and system monitoring to prevent unauthorized access.
  • Restricting and disabling remote technical support access to mitigate risks from third-party systems to protect against incidents like this.
  • Consulting with federal, state, and private cybersecurity experts to review and enhance our cybersecurity posture."

District 200 said protecting student data “remains paramount” and encouraged people to contact the technology department at datasupport@wcusd200.org if they have questions or concerns.

Crystal Lake-based Community High School District 155 told parents and staff Instructure told them it “experienced a cybersecurity incident in late April involving unauthorized access by a criminal threat actor. As part of their investigation, they have confirmed that data associated with District 155 was obtained.”

Similar to District 200, the notification said the data might have included student and staff names, email addresses, student ID numbers and messages within the system.

“At this time, there is no indication that passwords, Social Security numbers, dates of birth, or financial information were involved, as we do not share this information with Canvas,” the notification said.

District 155 officials said they don’t have any indication currently that any information was misused.

They also said they immediately began working with Instructure to “understand the scope and impact of the incident and to ensure appropriate steps are taken. Instructure has indicated that the vulnerability has been addressed, access has been secured, and there is no evidence of ongoing unauthorized activity.”

The district said families should pay attention to any unusual or suspicious communications. District 155 added that it takes the security of student and staff information seriously and will continue to monitor the situation closely.

McHenry County College was not available for comment Friday.

Officials in McHenry School District 156, Crystal Lake Elementary School District 47, Harvard School District 50, Marengo School District 154, Marengo-Union School District 165 and Huntley School District 158 confirmed they do not use Canvas.

In Johnsburg School District 12, Michael Cooper, the district’s IT director, said Friday he learned a teacher had used the free version of Canvas. He said the platform had not been used in the district in the past six months. The district was not notified by Canvas about the cyberattack, but officials are monitoring the situation.

McHenry CountyLocal NewsCrystal Lake District 47McHenry County CollegeHarvard District 50Fox River Grove School District 3Johnsburg School District 12Woodstock Community Unit School District 200McHenry Community High School District 156Huntley Community School District 158Marengo Community High School District 154Marengo-Union Elementary School District 165BreakingCommunity High School District 155EducationCybercrime

Claire O'Brien

Claire O'Brien is a reporter who focuses on Huntley, Lake in the Hills, Woodstock, Marengo and the McHenry County Board. Feel free to email her at cobrien@shawmedia.com.