Image

Jeremy Pelegrin, chief information security officer for UMass Amherst Information Technology, sent the email below to the campus community on May 11 providing special cybersecurity guidance following an incident that impacted access to the learning management software Canvas.

Pelegrin also discusses the university’s efforts to protect its digital systems and the changing cybersecurity landscape in higher education in this article published recently on the IT site.
 

Dear Campus Community:

UMass Amherst, along with thousands of schools and universities worldwide, was impacted by the cyber incident experienced by a third-party vendor, Instructure (the company that provides thousands of schools with Canvas learning management software). While UMass Amherst IT has taken additional steps to protect our campus systems, I am writing to urge all students, faculty, and staff to remain vigilant in the days and weeks ahead.

Instructure, the publisher of Canvas, has notified UMass Amherst that data fields involved in this Canvas incident may include usernames, email addresses, course names, enrollment information, and messages. Instructure has also informed UMass Amherst that core learning data was not compromised (i.e., course content, submissions, credentials). Additionally, please note that UMass Amherst does not store dates of birth, government identifiers, or financial information on our instance of Canvas.

After an incident like this, malicious actors may see an opportunity to launch phishing attacks targeting affected communities. I encourage everyone to exercise caution and be alert to suspicious messages, emails, or phone calls.

What you can do to protect yourself and the university community:

• Only log into Canvas directly via the trusted links at umass.edu/it/canvas and be wary of emails or messages asking you to log into Canvas through other means.
• Be cautious of emails appearing to come from Canvas, Instructure, or UMass entities (e.g., instructors, staff, departments), even if they reference specific assignments, current projects, course information, or other seemingly familiar details. You can continue to use the messaging feature in Canvas.
• Do not click on suspicious links or attachments.
• Do not respond to any communications you suspect may be fraudulent or malicious.
• Never share your UMass login credentials.
• If you receive a suspicious message or believe you may have responded to a phishing attempt, contact the UMass Amherst IT security team immediately: [email protected]

Where to get information, support, and updates:

• Updates about the Canvas security incident will continue to be posted on the UMass Amherst IT website: umass.edu/it/instructure-incident
• Visit Instructure's Security Incident Update & FAQs web page for additional details.
• UMass Amherst students, faculty, and staff can email [email protected] with questions.

To learn more about phishing and cybersecurity best practices, visit these UMass Amherst IT support articles:

• Phishing: Fraudulent Emails, Text Messages, Phone Calls & Social Media
• Protect Yourself Against Phishing Scams & Identity Theft

Thank you for supporting these efforts to help keep our campus community secure.

Sincerely,
Jeremy Pelegrin
Chief Information Security Officer
UMass Amherst Information Technology