Welcome to this midweek and very late edition of the monthly newsletter. As many of you are aware, there have been major events happening in the information security and higher education world. I’m going to briefly discuss both of the top issues (in my opinion) in this newsletter. Be prepared for some irony, skepticism and inevitability.
Before we get to those topics, I wanted to explain why the newsletter is so late this month. I was attending the Educause Cybersecurity and Privacy Professionals Conference in Anaheim, California the last week of April. It was just a week or so prior to that conference that the first of our two topics emerged. The second event happened DURING THE CONFERENCE, and sucked the wind of out of the room for all other conversations in higher education information security. Dealing with the aftermath of both of these events took up considerable amounts of time the first two weeks of May, so here we are in the third week finally getting this newsletter “out the door”.
Our first topic involves everyone’s favorite new cyber-toy – artificial intelligence. Anthropic announced Project Glasswing on April 8th, 2026. This project was all about protecting the general public from the capabilities of their new frontier AI model Claude Mythos. I’m kidding…this was Anthropic gathering tech industry giants to form a cooperative project to rid the world of software bugs. I’m kidding…while there is some concern about Mythos’ capabilities, which are stunning, this project now feels like a huge publicity stunt.
Why all the fuss? It turns out that Mythos is really good at finding flaws, or bugs, in software. For example, Mythos found a bug hiding in a relatively secure operating system that went undetected for 27 years. It also found hundreds of bugs across every major web browser and operating system. Project Glasswing was created to use Mythos defensively, in hopes that the defenders of networks and systems could outrun the attackers. This is why Mythos has not been released for public use and only the members of Project Glasswing have access to it.
Granted, these members included tech heavyweights such as Amazon, Apple, Cisco, Microsoft, Google and others. If these companies could analyze and patch their software with this protected AI model before attackers got their hands on it, maybe we could stop the Internet from going nuclear. Unfortunately, time is everyone’s enemy and it turns out that the publicly available ChatGPT 5.5 AI model has very similar capabilities to Mythos. Time’s up! You can get more details about this on the official Project Glasswing page. It is interesting reading, but may set some people’s internal doom clocks off.
While Mythos was everyone’s hot topic during the conference, many security and privacy practitioners in higher education came home to the announcement that Canvas, the learning management system (LMS) used by over 40% of colleges and universities, had been hacked by a group called ShinyHunters. Data had been stolen from the platform and Instructure, the company that created and provides Canvas, was providing the worst incident response communication of all time.
ShinyHunters, a group notorious for ransoming data, had gained access to administrative level permissions in the Canvas system on April 25th, just days before the conference started. Instructure noticed the issue on April 29th, the first day of the conference. Instructure then waited until May 1st to announce the breach, after bringing in a third-party digital forensics and incident response team and spinning up an army of lawyers.
You can read the gory details of the incident on the official Instructure incident page, and there are sections of the page for customers, for faculty, and for students and families. You can find each of these sections on the top right of the main page. The short version of events is that ShinyHunters exported, using tools in Canvas, data including names, email addresses, course names, enrollment information, and most importantly and critically, messages. Messages could include any communication between students and professors, including discussions of grades, reasons for class absences, assistive accommodation requests and other sensitive information. Unfortunately, we currently don’t know what was included in these messages, as Instructure has not yet given us our file that contains the data known to be stolen.
ShinyHunters wanted money in exchange for not releasing all of this information publicly and on May 7th, after not hearing from Instructure on their ransom demands, they breached Canvas again and posted ransom notices on about 300 institutional Canvas login pages, inviting individual schools to pay them to protect their students’ information. Instructure subsequently “reached an agreement” with ShinyHunters to protect all of the stolen data. This is also known as “paying a ransom”.
That’s the short version of events. Again, the incident update page has more. The question burning in your mind right now is probably, “what does this mean for me?”. Instructure “reached an agreement” with ShinyHunters to not release the data and there was some language about not using the data in future attacks, but we are talking about trusting criminals. Ultimately, everyone should be prepared for targeted phishing emails related to Canvas activities. Be very skeptical of Canvas-related emails in the future. That’s about the best advice I can offer at this time.
That’s been most of the last two weeks of my life and many others just like me in colleges and universities across the country and world-wide. If, after reading up on the official pages for these two very emergent topics, you have any questions or anything you don’t understand, I am happy to answer any questions that I can.
Welcome to summer 2026! It’s going to be a barn-burner, I think, and I’m not talking about the weather.
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn on MFA/2FA everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report both spam and phishing via the “Report” button.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications.
Food For Thought
MindYourDecisions is a fabulous YouTube channel and this moral dilemma video is a great explanation of game theory concepts. I hope you enjoy this brain workout!
Featured image: Merge of Instructure logo and Project Glasswing logo.
July News from Information Security
