Cyber Incident Victim: Needham Public Schools

Instructure, the parent company of Canvas, detected unauthorized activity on April 26 and immediately revoked the unauthorized party's access while beginning an investigation. Needham Public Schools officials learned of the breach on May 1. On May 7 the district was informed that data from the district had been downloaded and was also notified of a second breach occurring on the same day. According to Superintendent Dan Gutekanst, the information accessed included first names, last names, and email addresses for all Needham Public Schools students and staff. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas. Wellesley High School, which also uses Canvas, was identified as one of approximately 9,000 affected institutions.

Out of caution, Needham Public Schools temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards. The district also disconnected Canvas from its PowerSchool student information system to prevent any further potential compromise of data or systems. Gutekanst noted that teacher gradebook data connected to PowerSchool could have been modified as a result of the breach. In response, the district requested a complete report from Instructure detailing what data was breached or modified. Needham Public Schools stated it would continue to closely monitor the situation and review any additional systems that could potentially have been affected downstream. The superintendent emphasized that the district was operating under the assumption that all students and staff were affected by the incident.