May 21st marks Global Accessibility Awareness Day, a campaign to raise awareness of digital accessibility run by a non-profit foundation that began in 2011. I discovered GAAD last year and used the occasion to plug some of our staff development, but it was too late to do much more than that. This year we’ve had time to plan more, turning it into Accessibility Month at Sunderland.
We’ve running weekly staff development sessions on accessibility all throughout May, and timed the release of the new Accessibility Checker tool in Canvas for today. This enhanced tool can now scan entire modules for issues and suggest fixes like adding missing ALT text and correcting insufficient contrast between foreground and background elements.
To raise awareness within the University we published an article on our SharePoint site, and released a two part podcast on May 8th and today. I’m not on either, I deferred the honours to my team, and in today’s episode we invited an academic on to talk about accessibility from their perspective.
So, err, Instructure have been in the news for rather unfortunate reasons. I didn’t know if I should say anything about this, but of course my team and I have been keep busy by it, and I have some thoughts on the situation, so first I’ll reiterate that this is my personal blog, and is in no way affiliated with, and my views are not endorsed by the University of Sunderland, or Instructure. Necessarily.
The purveyors of Canvas, Sunderland’s VLE for the past decade or thereabouts, were hacked on the 25th of April. They didn’t discover the intrusion until the 29th, and we didn’t know until we came back from the bank holiday Monday. It did explain all the alerts sitting in my mailbox from the weekend though. In the four days that the hackers were in, they extracted data from almost 9,000 institutions using Canvas, which included names, email addresses, student IDs, and ‘messages’. 275 million individual users, between 3 and 6 terabytes of data, according to different sources. That’s a lot of damage! The largest educational security breach in history according to the Wikipedia article on the topic. (So big it has a Wikipedia article.)
Instructure believed that they had resolved the incident and refused to pay the initial ransom* demand, but after the deadline passed the hacking group got in again on May 6th/7th and placed a warning message on the Canvas homepages of around 330 institutions (but no additional data was stolen). At that point Instructure took the entire service offline while they fixed that, and subsequently paid the ransom demand in an attempt to fully resolve the situation and restore trust and confidence in Canvas.
Of course Sunderland have been affected, and in due course we’ll be getting an individualised report on exactly what data of ours was included in the breach. We were initially frustrated by what we saw as a lack of response and clear communication from Instructure, but they have responded to that feedback well, acknowledging that they were flooded with enquiries in the initial aftermath and simply couldn’t keep up. And of course they had a lot of work to do to secure their systems before being able to share specific details with their partners. We know now that the attackers used Instructure’s Free-for-Teachers platform and cross-site scripting to gain access to their backend support systems. Free-for-Teachers remains offline, but the core Canvas system is back and fully operational, and complete downtime was limited to only 8 hours or so during the second attack, and this was overnight in the UK so we were minimally affected. I’ve been on a number of calls and webinars about the incident, of course, and I’m quite confident that Instructure have fortified their security across the board to minimise any further attack opportunities.
What I’m less confident about was the wisdom of paying the ransom, for “once you have paid him the Danegeld / You never get rid of the Dane”, as Kipling put it. Of course I’m not a lawyer, or a cybersecurity boffin, and I’m certain that this was an extremely difficult and complex decision for Instructure. However, as well as the moral principle of not paying ransom, there are very strong practical reasons why you shouldn’t, namely that you can’t trust criminals! Even Instructure’s own statement on the matter included a very large caveat that the hacking group could not be trusted, and they couldn’t be completely certain that the stolen data was destroyed, as claimed. The Reg published a great article on the fallout of the attack in which they explain this very well:
“CrowdStrike surveyed 1,100 global security leaders last summer, and of the 78 percent who said they experienced a ransomware attack in the past year, 83 percent of those that paid ransoms were attacked again. Plus 93 percent lost data regardless of payment.”
As a result, my concern is that this isn’t actually over, and has the potential to reappear further down the road. Had Instructure not paid, the data would have been leaked on the dark web, and it would have been very bad for everyone involved, but from that point I feel like we could all have rebuilt and recovered. Instead we may have a sword of Damocles hanging over us.
It’s a sad state of affairs that in the world we’ve built this is a common occurrence. Everyone gets hacked. Sunderland itself were hacked back in 2021 in what we now refer to as ‘the cyber security incident’. Part of the problem is that we’ve all outsourced data into huge silos managed by a small handful of tech giants. When I began my career, long, long ago, we ran Blackboard on our own servers. Our data, managed by the university, in a server room on campus with a mirrored offsite backup. It’s an approach that had its advantages. While I’m sympathetic towards Instructure, and I think they’re less likely to suffer from future incidents as a result of the security hardening measures they’ve put in place, I know that there are institutions who have already spun up a Moodle server almost overnight and moved away, possibly permanently. We’ve made our own contingency plans at Sunderland which I won’t talk about, and I’m looking forward to NELE in a few weeks to gossip with the gang and find out more about how Newcastle have handled things.
Something useful that I learned was that Jisc in the UK are constantly monitoring the dark web looking for evidence of data leaks which may affect any institution, and Instructure have contracted with a security agency who are doing the same thing on their behalf as part of their response to the incident.
More and up to date information is available on Instructure’s Incident Update webpage.
* These kind of attacks are called ‘ransomware’, but as a Reg Commentator commented, it would be more accurate to call this kind of attack blackmail.
Back down to Middlesborough today for a packed agenda. James got the ball rolling with a discussion of Middlesborough College’s experience as a Microsoft Innovative Educator Expert, and using badges – both digital and physical – to motivate staff to engage with their CPD offering. I think we got some good ideas from this one. They were using leaderboards, but with only the top three visible so as to reduce the risk of demotivating people.
Next, Malcolm led a discussion about modern alternatives to vivas which is an approach Durham is evaluating. This led on naturally to a wider discussion on the validity of assessments in the Gen AI age. There feels like a growing consensus on the need for vivas of some kind, whether digital or a sample of students, but practical and ethical issues abound. If it works as intended, I think Studiosity could be on to something with Validate.
We of course talked about Einstein, and though this particular service was shut down quickly enough (thanks to Einstein’s estate), the service was build on open technology and is relatively easy to recreate. In what I can only describe as ‘a bit of gossip’, we speculated on whether or not the whole service was a scam designed to entrap students, as there have been some reports of students who signed up for the service receiving blackmail style emails. It’s wild out there.
Other topics of conversation included Newcastle’s move to all 20 credit modules, amusing as at Sunderland we’re in the process of doing the opposite, moving everything to 30 or 60 credits; we talked software and processes for maintaining an internal knowledgeable; peer learning as an approach to alleviating imposter syndrome; had a look at Blackboard’s alternative to Canvas Catalog; and discussed access to premium Gen AI tools. On that topic, we’re all using CoPilot because it’s being bundled with our Microsoft site licenses, but on cost grounds only Northumbria are offering anything in addition – Claude.ai which, from my experience, I suspect is much appreciated by their school of Computing and Information Sciences in particular.
Rounding off the day, Bob from Middlesborough College demonstrated their in-house Inspire AI tool, which is a series of Gen AI ‘widgets’ designed to produce specific types of content based on a simple form, no prompt engineering required. It reminded me of TeacherMatic which we have experimented with, but Inspire was completely tailored to Middlesborough’s needs and requirements. On the back-end it’s using GPT 4.1-mini, but it can be updated with other models, and staff reported that the tool was very easy to use, and has been saving them time as they outsource low cognitive capacity tasks to it such as generating individual lesson plans or bespoke case studies.
It must be that time of year again! Except that ‘that time of year’ gets earlier and earlier. I liked it better when Studiosity timed their forum to coincide with Star Wars day, but that might just be me.
Nick Hillman from the Higher Education Policy Institute must have been a hit last year, because he was first up this year with a new ‘State of the Nation’ report which was, once again, excellent. Some highlights:
The 2026 HEPI Generative AI Survey (my first photo), shows near universal use of Gen AI tools among students at 95%, with 94% using it in some capacity related to completing their assessments. And yet, only 48% reported that staff were supporting their development of AI skills. Also of concern is the stat that 15% of students are using AI for companionship.
The slide on relative earnings by education level (second photo) clearly shows that there is still a great deal of value in getting a tertiary education, but that little red dot showing the relative earnings level for people without upper secondary level of education is terrifying in its implications, and demonstrates the massive problems we have with inequality in the UK.
The net benefit of international students on the UK economy is huge, and has grown to £37.4 billion.
The public massively overestimates rates of student regret – they guess 40%, when in reality it is 8%.
And to end on a positive note, everyone across the political spectrum (yes, even Reform voters), feel more generally positive towards universities than negative.
Next, Vivienne Stern from Universities UK gave a talk on the immediate issues facing the sector, cautioning that we are in danger of getting caught up in near-term issues and debates, instead of looking at the wider systemic issues, which ultimately all go back to chronic underfunding. She shared the fact that 24 universities in England were currently in ‘intensive care’, meaning they are close to insolvency, and expects this to double in the next 2-3 years.
That was a lot on the sector in general, but the morning was capped off with Studiosity’s main briefing which was delivered by Garnet Berry who presented on Validate and where Studiosity are taking the company next. I won’t say too much about this, having had a preview of the service a few weeks ago, but I did get to see more detail and screenshots of the Validate interface working inside Studiosity.
After we reconvened after lunch, the afternoon was handed over to a series of presentations and talks from Studiosity’s UK partners. I was struck by how similar the experiences of UWE Bristol and Greenwich University were to Sunderland’s. UWE reported the same issues with an attainment gap between white and BAME students that we have, and their high levels of uptake in Health matches our own experience. Similarly, Greenwich reported that they have found getting their Business School onboard has also been a challenge. On Studiosity+, UWE reported that since switching over to Studiosity’s AI powered service they have seen 4 times as much usage, though noted a slightly lower student level of satisfaction. However, coinciding with this was the inclusion of Studiosity in their new module templates, which will inevitably have helped drive use.
So Studiosity have bought out a wee Nordic company called Norvalid and are planning to integrate it into their service, and I was lucky enough to be given a sneak preview today. I think I need to be a little careful about what I say for the time being, but as Norvalid has been around for a while, I feel like it’s okay to talk about what they do.
Norvalid sprang up in response to the need to ensure academic integrity in the GenAI age, but are taking a different approach from the constant monitoring / police and punish model that we’ve seen to date from the likes of Turnitin (via Clarity) and Grammarly. Instead, Norvalid looks to do two things. First, it examines the ‘perplexity’ of a piece of writing, looking for the qualities it has of being human authored – so the opposite of trying to check for machine authored text. Secondly, it can then generate two different types of quiz based on that specific piece of writing which students have to answer as a check of their knowledge. The idea being that if they have indeed written the piece submitted, this should be quite straightforward. Kind of like a machine-generated mini viva.
Now under the umbrella of Studiosity, Norvalid will be integrated into their AI powered Writing Feedback service, and it will be offered to partners as an optional extra. Details and pricing to follow, after a trial with a small number of institutions over the summer.
This is a real cat; a real photo from @Bodega on Unsplash. Support real human artists over using AI.
Some people reading this blog, or who have ever talked to me about Generative AI, may think that I am somewhat of a doomer on the tech, but that’s not quite true. I recognise the potential of the technology and can see its utility, but I thoroughly dislike how it is being hyped and sold to us by the tech oligarchy, and I don’t believe that the current prevailing model of huge data centres is viable or desirable.
Over the holidays, a friend sent me this article which does a pretty good job of explaining something else I dislike about the current (mis)use of the tech to produce content slop, it just kind of gives me the ick.
