The school day was “a bit of a logistical nightmare” on May 8, according to Nikita Borisov, a professor of electrical and computer engineering at the University of Illinois Urbana-Champaign’s Grainger College of Engineering.

But it wasn’t your typical chaos: A cyberattack against widely used edtech platform Canvas locked college professors, high school teachers, and students out of assignments, messaging, video content, grades, and other classroom materials.

While the global downtime caused minimal disruption for Borisov (whose final presentations for students did not explicitly rely on Canvas, he said), some teachers had to figure out a plan when campus canceled exams on May 9.

Threat actors exploited a vulnerability related to the company’s “Free for Teacher” environment, according to a statement from Steve Daly, Canvas parent company Instructure’s CEO. The chief exec said the incident involved unauthorized ​access to ⁠information like usernames, email addresses, course names, enrollment information, and messages.

The hacking group ShinyHunters posted on their own site that they had stolen terabytes of data from Canvas linked to nearly 9,000 schools worldwide.

How to prepare for this kind of disruption.—BH

For years, cyberattackers refined their social-engineering techniques, fooling the unsuspecting into giving up their most valuable data. Can attackers use similar tactics to trick AI agents into giving up information?

The threat intelligence team at Okta recently decided to test how AI agents handle secrets and credentials. Their target: OpenClaw, an open-source AI agent that leverages popular messaging services such as WhatsApp and is widely used for a variety of highly specialized tasks. To carry out its workflows, OpenClaw also needs a human user to give it extensive permissions, making it a tempting target for attackers. (Security professionals have been warned about the setbacks inherent in the agent.)

“We just started playing around with OpenClaw and designed some interesting experiments around testing the guardrails around what agents would divulge, what would they protect, with a view to getting more of a perspective on what the attack surface is in an enterprise,” said Jeremy Kirk, a director with Okta threat intelligence.

How a “long and slow” approach can mess with an agent.—CN

When it comes to managing AI at the tech governance level, it’s important to define terms—and to have an international perspective.

That’s what panelists at Web Summit Vancouver told IT Brew’s Senior Reporter Eoin Higgins on May 14. The panel, entitled “Getting AI right: From tech sovereignty to digital transformation,” featured Shivam Kishore, senior advisor for digital transformation at the United Nations Environment Programme (UNEP), Maria Luisa Aldim, executive councilwoman for the Municipality of Lisbon, and Fabrizio Del Maffeo, CEO and co-founder of Axelera AI.

The first thing is to define terms, Del Maffeo said. A lack of understanding around what AI can and can’t do has restricted regulators’ approach to the technology.

“There is a lot of fear in Europe, too much fear, versus seeing it as a tool, which can be a great equalizer or create a great divide,” Del Maffeo said. “AI is such a technology, which can help reduce the gap between advanced society and the laggards.

The question of who owns and controls AI is changing.—EH