Last week saw a somewhat horrifying, somewhat freeing, Canvas shutdown. Following this, I thought it obvious to reflect on just how reliant I, alongside millions of other students across the globe, am on platforms like these. A reliance on one singular entity, which would have both intimidated and confused students only a few decades ago, now feels expected. Granted, concentrating every lecture, practical worksheet, and all other useful files onto one platform is ingenious. I press on one link and access thousands more. I search for one file and the computer magically filters through its millions stored. However, this cyber attack showed me, pretty brutally, that this centralisation comes at a great cost.
On the evening of Thursday 7th May, Canvas experienced its second cyber attack, with responsibility being claimed by the organisation known as ‘ShinyHunters’. Whilst it may have been the second attack, it was the first one that Oxford students will have noticed, being serious enough to warrant freezing for maintenance over the course of several days. Canvas itself is owned by the company ‘Instructure’, whose platforms have previously been targeted by ShinyHunters. Whether or not these targets have been successful is somewhat contested. They claim to have hacked Canvas twice before this recent group of attacks; however, other than an indiscriminate data breach disclosed by Instructure in September 2025, there does not seem to have been a subsequent infringement of privacy by this group in particular. Affecting around 9,000 institutions internationally, the damage was certainly widespread. Nonetheless, in the news, its concrete impact has not yet been quantified.
As a biochemist who had missed that week’s lectures in pursuit of (slightly) more fun activities, the impact was pretty grave on my weekend. I had about eight missed lectures to watch on Panopto, in order to even begin figuring out how to complete a tutorial sheet on nuclear magnetic resonance due early next week. Amplifying this stress were the three dry lab practical assignments waiting to be filled in entirely on Canvas, which I had also left for the weekend. It was not looking good. So, as I sat wondering what to do with my time, aware that every hour which passed was an extra hour of work I would have to do in the upcoming week, I thought hard about The Great Canvas Shutdown.
Online vulnerability is something most of us will already have experienced. Take your Google Password Manager, for instance. I’ve certainly been notified that a password of mine has been compromised in a data leak at least twice, urged by Google to change it immediately. Given the breadth of websites I’ve signed up to — whether I remember them or not — I shouldn’t be particularly surprised. And yet, this normalisation of data leaks has meant my tolerance for such data privacy compromisation is so high that I simply shrug it off and hope it doesn’t have any serious short-term consequences. To truly understand the gravity of this issue, however, I think the fact that in April 2021, Facebook had account details leak from 533 million users says all you need to know about the scale this can blow up to.
Here, the scale of the Canvas attack may be in different units, but with arguably similar potential impact. During this shutdown, the hackers threatened the company to publish 3.5 terabytes of student and university data. To put this into perspective, 3.5 terabytes is equivalent to around 900,000 photos on your mobile phone (if you took 100 photos a day, you would need 24 years to take this amount of photos), 700,000 songs on Spotify (that is about four years of playing music 24/7), and many billions of pages of text (if you like books). That’s a lot of data. Although it has not been disclosed whether Instructure eventually provided ransom payments to prevent the cyber criminals from publishing this data, I am certain that it was not an easy negotiation.
This scope of potential data leakage strengthens this initial issue of centralisation and reliance on a singular, possibly vulnerable, platform. Given that world-renowned, elite institutions such as the University of Oxford and Harvard University have allowed Canvas to dominate learning and research with such consequences, can we criticise modern academia as being quite fragile? We no longer use online programmes merely as organisational tools, but rather as systems of teaching, learning, assessment, and communication. Although their use might vary from subject to subject, I would argue that they increase efficiency in every domain. And yet, finding the optimum amongst efficiency, dependency, and vulnerability is tough.
But what’s the alternative? Can we move back to paper handouts, handwritten tutorial sheets, and solely in-person lectures? Living in a post-COVID society, alongside an increased awareness of issues of accessibility, I personally don’t think we can. And although it might contradict my frustration and defeat on the weekend following that fateful Thursday, I still don’t think we should. I try to justify this to myself by recognising that our advances in academia rely on a persistent evolution of tools which complement study, not replace them. And I think that Canvas does just that. But, to avoid this vulnerability, a viable solution could be to distribute resources across platforms and spaces, even if it means making extra effort and decreasing some of our efficiency. For instance, using OneDrive or Google Drive to back up and share files.
Ultimately, although this curiosity stems from my experience as a biochemistry student, the dependence on such platforms clearly extends beyond STEM disciplines alone. Embedding Canvas into academic life across the university means that this shutdown affected all of our community, regardless of the extent of that effect. If such institutions wish to maintain digital centralisation — which, realistically, they will — they also need to be prepared to be resilient and flexible. Digital dependence may frankly be inevitable, but it is how we adapt to it which remains under our control.