When the Platform Goes Down, the Students Pay

Canvas went dark last week. If you’re not in education or don’t have a kid at uni, you might have missed it entirely. Canvas is the learning management system that a significant chunk of the world’s schools and universities use to run coursework: assignment submissions, grades, direct messages between students and staff. The whole administrative scaffolding of modern education, basically.

Hackers got in. Ransom demand. Deadline of May 12. Student data potentially on the line.

The incident itself is bad enough. But the conversation that followed is where it gets interesting.

One of the first reactions online was something along the lines of: schools should be self-hosting this stuff, not handing it all to a third-party vendor. And look, I get the instinct. Putting mission-critical student data into a single commercial platform is exactly the kind of architectural decision that looks fine until it very much isn’t. I’ve worked in this space long enough to wince at single points of failure.

But the counterargument landed just as cleanly. Most schools don’t have the budget or the staff to self-host something that students need access to every hour of every day. Hiring senior DevOps and infrastructure people costs real money, and that money comes from somewhere. Usually somewhere that involves cutting something else. The uncomfortable truth is that outsourcing to a vendor isn’t just laziness; it’s often the only realistic option for institutions running on thin margins. That doesn’t make it good. It just makes it understandable.

What actually struck me, reading through the discussion, was a comment from someone who identified as a professor. They pointed out that students sometimes disclose genuinely sensitive personal information in their assignments, things that instructors actively discourage but can’t prevent. In the current political climate in the US, with expanded immigration enforcement and an administration that has made its priorities fairly clear, some of those disclosures carry real weight. Homework, it turns out, is not always just homework.

That’s the part that sits with me. The data that leaked isn’t financial. It’s names, email addresses, student IDs, and the content of messages. Not nothing, but not the catastrophic identity theft scenario some people jumped to. Except. Except context matters enormously. A message a student sent to a professor two years ago, explaining a personal situation, is now potentially in someone else’s hands. That’s not abstract. That’s a real person who trusted a system that turned out to be less secure than advertised.

The broader pattern here is one I keep coming back to. We keep centralising sensitive data because centralisation is efficient. One platform, one login, one vendor to manage compliance. And then we express surprise when a breach hits at scale rather than in isolation. The efficiency is real. The risk is also real. We don’t have a good framework for holding both of those things honestly at the same time, so we tend to ignore the risk until it becomes a headline.

I don’t know what the right answer is for how educational institutions should manage this stuff going forward. More redundancy costs money that most of them don’t have. Vendor lock-in is a known problem with no clean exit. Regulation could help, but it tends to arrive well after the damage is done.

What I do know is that somewhere right now there’s a student refreshing their Canvas portal, wondering what exactly got out, and whether it matters. That uncertainty is its own kind of harm, and we designed the conditions for it.