How much control does an IT pro really have when a third-party platform gets hit

The school day was “a bit of a logistical nightmare” on May 8, according to Nikita Borisov, a professor of electrical and computer engineering at the University of Illinois Urbana-Champaign’s Grainger College of Engineering.

But it wasn’t your typical chaos: A cyberattack against widely used edtech platform Canvas locked college professors, high school teachers, and students out of assignments, messaging, video content, grades, and other classroom materials.

While the global downtime caused minimal disruption for Borisov (whose final presentations for students did not explicitly rely on Canvas, he said), some teachers had to figure out a plan when campus canceled exams on May 9.

Threat actors exploited a vulnerability related to the company’s “Free for Teacher” environment, according to a statement from Steve Daly, Canvas parent company Instructure’s CEO. The chief exec said the incident involved unauthorized ​access to ⁠information like usernames, email addresses, course names, enrollment information, and messages.

The hacking group ShinyHunters posted on their own site that they had stolen terabytes of data from Canvas linked to nearly 9,000 schools worldwide.

When platforms go down, either by misconfiguration or miscreant, can an IT pro actually soften the impact? We spoke with two security pros about important preparations.

Map your dependencies. According to Brandon Blankenship, CISO at cybersecurity company ProCircular, a team involving IT, legal, operations, and main players (say, professors) need to do an internal audit ahead of any compromise to define:

• Critical business processes (teaching and grading, for example)
• The core systems supporting those business processes (say, Canvas)
• The under-the-hood systems (dependencies) that the core systems need (like databases or identity management)

Next, Blankenship recommends that leaders discuss reasonable expectations for recovery time and how much downtime an organization can tolerate.

“Senior leadership has to understand this too-big-to-fail company can and probably will fail for 48 hours, or 24 to 72 hours, and if that happens, either we tell people, ‘Go home and we’ll do tests three days later,’ or we try to have a completely redundant system, which is almost always too expensive at that scale,” Blankenship said.

Etay Maor, VP of intelligence at network security platform Cato Networks and an adjunct professor at Boston College (who thankfully got his grades in before the incident), said school leaders need to identify high-risk assets, and strategize redundancies where necessary. Maybe grades and lecture videos are considered critical and must therefore be backed up on an external system; maybe messaging is less important and schools can resort to usual email.

“You need to [know]: What happens if Canvas goes dark on me?” Maor said.

A business continuity assessment “should absolutely be done beforehand with the systems that matter the most, and I would usually recommend, the fewer the better,” Blankenship said, adding there’s no need to build up in-depth plans for a dozen systems. Pick the “absolutely most critical” ones and run through what needs to happen when those go down.

Make outages part of your disaster recovery plan, Blankenship and Maor advised.

Be ready to answer the ransom question. Instructure “reached an agreement” with the threat actors, according to the CEO’s statement. Orgs should also prepare to answer ransom-related questions and work with insurance companies (in advance!) to determine set points for payment, Blankenship advised.

“Thinking about paying or not paying is such an emotionally charged conversation that should be guided by people who have been through incidents before,” Blankenship said.

According to calculations from pro-consumer site Comparitech, ransomware actors took credit for 251 attacks in 2025—a steady number compared to 2024’s 247 incidents. However, 2025 saw a jump in compromised records: 3.96 million compared to 3.11 million in 2024.

Wait, wait, backup. Both organizations and individuals need to prepare for an outage. Borisov luckily didn’t rely too heavily on the Campus platform.

“Having copies of your grades, having copies of your course materials in multiple places might make sense to be more agile in responding to these things,” he said.

Blankenship wants to see more backup and planning instead of a blame game.

“The control we put in place is: stop blaming IT, and stop blaming Canvas and having professors and TAs, whoever’s in operations, have a viable workaround if that system is unavailable for 48 hours,” he said. “That’s the real answer, and that’s a conversation that not many people want to have.”