Cyber Incident Victim: University of Chicago
Date:
May 2026
Location:
United States of America
Summary
The ShinyHunters ransomware group launched a cyber attack on the Canvas learning management system, claiming responsibility for disrupting services at thousands of educational institutions worldwide, including the University of Chicago which temporarily disabled its Canvas page after being targeted; the attackers posted a ransom note demanding payment to prevent data release. The outage forced several universities to postpone or cancel exams and assignments, with institutions such as Mississippi State, Idaho State, Penn State, the University of British Columbia and the University of Toronto reporting limited or no access to Canvas while awaiting restoration from Instructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A cyber attack attributed to the hacking group ShinyHunters disrupted the Canvas learning management system used by thousands of schools and universities worldwide, with the company Instructure reporting that the platform was available for most users by late Thursday while some institutions continued to experience outages on Friday. The attack affected an estimated 9,000 institutions across the United States, Canada, and Australia, occurring during a high‑stakes end‑of‑year academic period and prompting several universities to cancel or postpone examinations and advise students not to attempt to log in. The University of Chicago in Illinois responded to reports that it had been targeted by temporarily disabling its Canvas page, a measure taken after the university became aware of the breach affecting the service.
The Chicago Maroon, the university‑led newspaper, published a screenshot of a message purportedly from ShinyHunters that appeared to be seeking a ransom, urging the university to contact the group privately to negotiate a settlement and avoid the release of its data. This same message was received by a Northwestern University master’s student, Jacques Abou‑Rizk, after he clicked a link in an email that seemed to come from a university administrator. Abou‑Rizk said that Northwestern addressed the issue on Thursday by sending a generic email, observed by the BBC, stating that the university was monitoring an issue and had no estimated restoration time for Canvas while confirming that other IT infrastructure remained unaffected. He reported that he was still unable to access Canvas on Friday and had not heard further from the university, expressing anxiety about completing his work, accessing necessary sites, and the uncertainty surrounding what data might be released. The BBC noted that it had contacted Northwestern University for comment regarding the incident.
Additional details from the article indicate that screenshots showed the targeted threats from ShinyHunters began on Sunday, with deadlines set for Thursday and 12 May, as reported by threat analyst Luke Connolly of Emisoft, who noted that discussions regarding extortion payments could be ongoing. The cyber attacks occurred on the same day that Senator Chuck Schumer sent a letter to the Trump administration urging increased defenses against cyber risks in the era of rapidly developing AI, emphasizing that the Department of Homeland Security must immediately assist states and localities to prevent outages, disruptions, and attacks that could endanger lives and livelihoods. Other universities, including the University of Sydney, Mississippi State University, Idaho State University, Penn State University, the University of British Columbia, the University of Toronto, and the University of California Los Angeles, reported similar Canvas outages and related impacts on coursework and examinations.