The last message I expected to receive Thursday afternoon was a request by a student to postpone an assignment because of a cyberattack. Canvas, the tool where millions of students around the world submit their work, check their grades, watch lectures and take quizzes was inaccessible to faculty and students in the waning days of the school year.

People were posting ransom note screenshots on social media. Something like this was bound to happen eventually. It’s an inevitable consequence of information centralization. 

About an hour after I got the message, I was trying to assess the damage. For me, it was not that bad. I give paper tests and quizzes and I’ve been regularly creating Slack workspaces for my classes. I mainly use Canvas to link to documents and allow students to check their scores and ponder about their grades. It was a real hassle when the only answers to “How am I doing in this class” sat in a private gradebook in the instructor’s office. 

But I am probably in the minority. Many of my colleagues are heavily dependent on Canvas, especially for bigger or online classes —  those that have no live lectures. For them this was “deeply disruptive,” as the California Faculty Association put it.

I had never heard of the parent company Instructure before, and until this hack, I didn’t realize Canvas content was centrally stored. It’s been at least a decade-long trend to move services off campus to save on costs. All kinds of records and student databases are offsite now. 

The pitch is always the same: save money by doing things at scale. Cut out expensive maintenance and data storage. Why pay for servers and IT staff for technology that will be obsolete in a few years? The vendors who contract with university campuses swear up and down that it’s safe, secure and it won’t be used to train AI. 

The risk of having millions of student records and multiple terabytes of data in one place is rarely even contemplated by decisionmakers. Experts have warned about these vulnerabilities for well over a decade. And that’s not the only problematic vendor doing business with universities.

Many students and faculty began reporting normal service restoration by Friday afternoon, almost 24 hours later. By Monday, Instructure had announced how the hackers pulled it off. Everyone knows how this works when major breaches occur. Our personal information is surely already out there, like so many old passwords we receive warnings about. Even if the hackers are paid, can we really believe they deleted the data?

The real question is whether California officials and university administrators are any wiser now. Will our schools and offices continue to offload personal data to outside companies to save a few bucks?

Of course, huge companies already store our emails and credit card transactions. We accept the risk and cope with the breaches. But do they also have to store our school grades, food orders, security footage, license plates? And which ones can we trust?

Some are great at security. Some are clearly not.

Foaad Khosmood is a Cal Poly professor and research director for the Institute for Advanced Technology and Public Policy.