I've really got to sort out tagging from posts made on the @posts account.

Reply to I've really got to sort out tagging from posts made on the @posts account. on Thu, 07 May 2026 21:19:11 GMT

douglevin@infosec.exchange — Thu, 07 May 2026 21:19:11 GMT

@simon @posts whelp, looks like - as they say - another shoe dropped with Canvas - at least here in the US. Hearing reports of anything new in your parts?

Reply to I've really got to sort out tagging from posts made on the @posts account. on Thu, 07 May 2026 02:51:22 GMT

douglevin@infosec.exchange — Thu, 07 May 2026 02:51:22 GMT

@simon @posts I take all those audits/assessments as signifiers of a potentially strong cybersecurity program, but none are perfect - and, in some cases, they are indeed simply performative. More about trying to manage risk - and even liability, if it comes that - than any sort of guarantee.

When regulators review the incident - at least here in the US - they’ll try to determine if the company took ‘reasonable, steps to safeguard the data in their care. That’s a slippery word - and one that keeps many a lawyer employed.

Reply to I've really got to sort out tagging from posts made on the @posts account. on Thu, 07 May 2026 02:39:35 GMT

simon@bne.social — Thu, 07 May 2026 02:39:35 GMT

@douglevin @posts Oh for sure yeah. There's clearly value in going through good assessments even if something goes wrong later. I just mean it might make people question their value as marketing tools. As you say, knowing what went wrong is vital — would be bad if the compromise relates to something that was specifically evaluated under one of these programs.

Reply to I've really got to sort out tagging from posts made on the @posts account. on Thu, 07 May 2026 02:34:47 GMT

douglevin@infosec.exchange — Thu, 07 May 2026 02:34:47 GMT

@simon @posts Can’t ever guarantee that you’ll not be a victim of cybercrime. 100% secure is simply not a thing.

We need to learn more about how they were comprised - and for how long - to better judge.

Having said that - to date - their response has seemed competent and quick and forthright, which is not something I see much (as someone who has tracked education cyber incidents for a decade).

As details emerge (the incident was discovered less than a week ago), I may of course revise my views.

Reply to I've really got to sort out tagging from posts made on the @posts account. on Thu, 07 May 2026 02:11:05 GMT

simon@bne.social — Thu, 07 May 2026 02:11:05 GMT

@douglevin @posts Interesting thanks! Rather brings into question the value of all those assessment processes.

Reply to I've really got to sort out tagging from posts made on the @posts account. on Thu, 07 May 2026 01:54:06 GMT

douglevin@infosec.exchange — Thu, 07 May 2026 01:54:06 GMT

@simon @posts have you seen https://trust.instructure.com? Not defending the company, but we’ve been tracking as it also affects US primary/secondary schools - among many others.