Boise State Cancels Final Exams After Cyberattack Hits Canvas Learning Platform
Boise State University students learned late Thursday night that all final exams — including in-person tests — had been canceled following a cyberattack on Canvas, the widely used instructional platform that serves colleges, universities, and K-12 school districts across Idaho and the nation.
What Happened
Instructure, the parent company of Canvas, placed the platform in “maintenance mode” as it investigates the source and scope of the shutdown, which struck during finals week for many students. The timing left institutions scrambling to respond with little notice.
Boise State Dean of Students Christian Wuthrich sent an email to students around 10 p.m. Thursday confirming the cancellations. “All final exams are canceled and will not be rescheduled,” the message stated. Wuthrich added that the university had no confirmed timeline for when Canvas would be restored and was actively working through contingency plans.
The disruption extends well beyond Boise State. Most Idaho colleges and universities rely on Canvas in some capacity, including the College of Western Idaho and the University of Idaho. Some K-12 districts across the state also use the platform. For more on how Boise State handled the fallout on Friday, see our report: Boise State cancels final exams on Friday following Canvas cyberattack.
A Hacking Group Claims Responsibility
The shutdown came just two days after Instructure confirmed a separate data breach. A hacking group known as ShinyHunters claimed responsibility, and the group defaced Canvas login pages at some institutions. A message posted on affected login pages warned that sensitive data would be released by Tuesday unless schools entered negotiations with the attackers.
Instructure said following the initial breach that hackers had not accessed highly sensitive information such as passwords, dates of birth, government identification numbers, or financial data.
The incident fits a troubling national trend. Surveys conducted after the COVID-19 pandemic found that roughly 80 percent of schools that responded had experienced ransomware attacks. Security researchers have noted that educational institutions are frequent targets in part because they have shown a willingness to pay ransoms — with attackers reportedly describing school payouts as nearly certain.
A Pattern of Secrecy in School Cyberattacks
When schools fall victim to ransomware or data breaches, the response is often conducted behind closed doors. Specialized attorneys frequently serve as middlemen, bringing in cybersecurity and crisis communications professionals while shielding the process under attorney-client privilege. The result, according to multiple national investigations, is that victims of school data breaches may wait months or even years before learning their personal information was exposed.
What Comes Next
Boise State has not yet announced replacement plans for the canceled finals, and Instructure has not provided a restoration timeline. Students and faculty should monitor official university communications for updates on how the semester’s academic work will be evaluated.
The attack raises broader questions about the cybersecurity posture of Idaho’s educational institutions, from Boise to Moscow to nameless rural districts that depend on platforms like Canvas for day-to-day instruction. With commencement season underway, the stakes are especially high — including for soon-to-graduate students in fields like nursing, who are finishing their final coursework. For more on that community, read: Graduating nursing students advocate for their patients, their profession.
Ada County parents and taxpayers with students enrolled in local districts that use Canvas should contact their school district directly to determine whether local K-12 instruction has also been affected.