B2 · Upper Intermediate
12 min
cybersecurityeducation technologydata privacycybercrime
The Invisible Theft: When They Hack the School
El robo invisible: cuando hackean la escuela
The cybercrime group ShinyHunters has stolen data from 275 million students and teachers on the Canvas learning platform, and it's not their first time. Fletcher and Octavio dig into who these hackers are, why education is such a soft target, and what it means when someone steals the data of nearly an entire generation.
El grupo de ciberdelincuentes ShinyHunters ha robado datos de 275 millones de estudiantes y profesores de la plataforma educativa Canvas, y es la segunda vez que lo hacen. Fletcher y Octavio exploran quiénes son estos hackers, por qué el sector educativo es tan vulnerable y qué significa robar los datos de casi toda una generación.
7 essential B2-level terms from this episode, with translations and example sentences in Spanish.
| Spanish | English | Example |
|---|---|---|
| brecha de seguridad | security breach | La brecha de seguridad afectó a millones de estudiantes en todo el país. |
| ciberdelincuente | cybercriminal | Los ciberdelincuentes vendieron los datos robados en mercados del internet oscuro. |
| vulnerabilidad | vulnerability (technical or general) | Los atacantes encontraron una vulnerabilidad en el sistema que ya debería haberse corregido. |
| atribución | attribution | La atribución de un ciberataque es difícil porque los grupos operan de forma distribuida. |
| exigir | to demand, to require | Las instituciones deben exigir estándares más altos a los proveedores de tecnología. |
| imprescindible | indispensable, essential | Mejorar la seguridad informática es imprescindible para proteger a los estudiantes. |
| intermediario de datos | data broker | Los intermediarios de datos combinan información de distintas fuentes para crear perfiles detallados. |
My students use Canvas.
Every single one of them.
And I just learned this week that 275 million people who use that platform, teachers and students, had their data stolen.
Again.
Sí, es un número que parece imposible.
Yes, it's a number that seems impossible.
Doscientos setenta y cinco millones.
Two hundred and seventy-five million.
Es más que la población de Estados Unidos.
That's more than the entire population of the United States.
Right, and the group responsible, ShinyHunters, didn't exactly hide what they did.
They announced it.
They claimed it.
Which tells you something about the current state of cybercrime.
Para entender esto bien, hay que saber quiénes son ShinyHunters.
To understand this properly, you need to know who ShinyHunters are.
No son novatos.
They're not amateurs.
Son uno de los grupos de ciberdelincuentes más activos del mundo, conocidos desde 2020.
They're one of the most active cybercrime groups in the world, active since 2020.
Most people probably know them from the Ticketmaster breach two years ago.
Five hundred and sixty million records.
That was their biggest hit before this, or at least the most visible one.
Exactamente.
Exactly.
También atacaron al banco Santander, a varias empresas tecnológicas, y a muchas universidades.
They also hit Santander Bank, several tech companies, and many universities.
Pero lo que hace especial este ataque es que Canvas no es una empresa cualquiera.
But what makes this attack special is that Canvas isn't just any company.
Canvas, for listeners who don't know it, is the platform.
It's what most American universities and a huge number of K-12 schools use to run everything.
Assignments, grades, messages between students and teachers, course materials.
It's the infrastructure of modern education.
Y lo más preocupante, Fletcher, es que esto no es la primera vez.
And the most alarming part, Fletcher, is that this isn't the first time.
ShinyHunters ya había entrado en Canvas antes.
ShinyHunters had already broken into Canvas before.
Esto es el segundo ataque.
This is the second attack.
Eso significa que las medidas de seguridad que tomaron después del primero no fueron suficientes.
That means whatever security measures they put in place after the first breach weren't enough.
That's the detail that really got me.
Not the scale, though 275 million is staggering.
It's the fact that they came back and walked right in again.
That's not a hacking story, that's a structural failure story.
Claro.
Exactly.
Y para entender por qué pasa esto, hay que entender cómo funcionan estos grupos.
And to understand why this happens, you need to understand how these groups operate.
ShinyHunters no actúa como en las películas, con un genio solitario en una habitación oscura.
ShinyHunters doesn't work like in the movies, with a lone genius in a dark room.
Son una organización con divisiones de trabajo.
They're an organization with a division of labor.
Walk me through it.
Because I think most people, including me until fairly recently, picture a hacker as one very clever person sitting somewhere in Eastern Europe.
And that's just not what this is.
Piénsalo como una empresa criminal.
Think of it as a criminal enterprise.
Hay personas que encuentran las vulnerabilidades, otras que las explotan, otras que gestionan los datos robados, y otras que los venden en los mercados del internet oscuro.
There are people who find the vulnerabilities, others who exploit them, others who manage the stolen data, and others who sell it on dark web markets.
Es una cadena de producción.
It's a production chain.
And Canvas is an appealing target precisely because of the type of data it holds.
This isn't credit card numbers.
This is something arguably more valuable, especially over time.
Eso es fundamental.
That's the key point.
Los datos educativos incluyen el nombre completo, la dirección de correo electrónico, la institución, el año de estudio, a veces información financiera relacionada con becas.
Educational data includes full name, email address, institution, year of study, sometimes financial information related to scholarships.
Son datos que no cambian.
It's data that doesn't change.
Tu número de tarjeta se puede cancelar;
You can cancel your credit card number;
tu historial académico, no.
your academic history, you can't.
Permanent identity data.
That's a phrase I keep coming back to.
And when you think about what you can do with that, the most immediate concern is phishing.
Targeted, convincing phishing.
Exacto.
Exactly.
Imagina que recibes un correo electrónico que parece venir de tu universidad, con tu nombre, el nombre de tu profesor, el nombre correcto de tu curso.
Imagine you get an email that looks like it's from your university, with your name, your professor's name, the correct name of your course.
Ese correo puede pedirte que hagas clic en un enlace o que compartas más información.
That email might ask you to click a link or share more information.
Muy poca gente lo detecta.
Very few people catch it.
And now add AI into that equation.
Because generating a personalized, grammatically perfect, contextually appropriate phishing email for 275 million people is not a manual task anymore.
That's what, a weekend of compute time?
Menos.
Less.
Y eso es lo que ha cambiado en los últimos dos o tres años.
And that's what's changed in the last two or three years.
Antes, los ataques de phishing eran fáciles de reconocer porque estaban mal escritos o eran muy genéricos.
Before, phishing attacks were easy to recognize because they were poorly written or very generic.
Ahora, con los modelos de lenguaje, pueden ser perfectos.
Now, with language models, they can be flawless.
Which brings me to the question I've been circling around since I read this story.
Why is the education sector so consistently bad at cybersecurity?
Because this isn't a one-off.
Schools and universities get hit constantly.
La respuesta es incómoda pero sencilla: el dinero.
The answer is uncomfortable but simple: money.
Las universidades y los colegios no tienen los presupuestos que tienen los bancos o las empresas tecnológicas para proteger sus sistemas.
Universities and schools don't have the budgets that banks or tech companies have to protect their systems.
Y tienen datos igualmente valiosos.
And they have equally valuable data.
I can confirm that from personal experience.
UT Austin is a major research university with serious resources, and I still get emails from IT telling me to update my password on systems that feel like they were built during the Obama administration.
Y eso es una universidad grande.
And that's a big university.
Piensa en los miles de colegios públicos más pequeños que también usan Canvas.
Think about the thousands of smaller public schools that also use Canvas.
Muchos de ellos tienen un solo técnico de informática para toda la institución.
Many of them have just one IT technician for the entire institution.
So you have a system used by an enormous, underfunded sector, holding some of the most persistent personal data in existence, and the group that already cracked it once just cracked it again.
That's a policy failure as much as it's a technology failure.
Completamente de acuerdo.
Completely agree.
Y aquí es donde la comparación entre Estados Unidos y Europa es interesante.
And this is where the comparison between the United States and Europe becomes interesting.
En Europa, el Reglamento General de Protección de Datos, el RGPD, obliga a las empresas a notificar las brechas de seguridad en 72 horas y puede multar con hasta el cuatro por ciento de su facturación anual.
In Europe, the General Data Protection Regulation, the GDPR, requires companies to report breaches within 72 hours and can fine them up to four percent of their annual turnover.
Four percent of annual turnover.
For a company the size of Instructure, Canvas's parent company, that would be a real number.
A consequential number.
In the US, data breach law is a patchwork.
It depends on the state, the industry, the specific data type.
Y en el ámbito educativo en Estados Unidos, la ley principal es FERPA, que protege la privacidad de los registros académicos pero que fue escrita en 1974.
And in the educational sphere in the United States, the main law is FERPA, which protects the privacy of academic records but was written in 1974.
No estaba pensada para este mundo.
It was not designed for this world.
1974.
The year Nixon resigned.
The Watergate year.
That's the legal framework protecting the data of 275 million students.
I mean, I don't know what else to say about that.
Lo que debemos preguntarnos es: ¿quién compra estos datos?
What we need to ask is: who buys this data?
Porque alguien los compra.
Because someone buys it.
El mercado existe porque hay demanda, y esa demanda viene de varios actores.
The market exists because there's demand, and that demand comes from several types of actors.
Give me the breakdown.
Primero, los estafadores.
First, scammers.
Usan los datos para ataques de phishing, como dijimos.
They use the data for phishing attacks, as we said.
Segundo, los intermediarios de datos, que combinan información de distintas brechas para crear perfiles completos de personas.
Second, data brokers, who combine information from different breaches to build complete profiles of individuals.
Tercero, en algunos casos, estados o actores con intereses en espionaje, sobre todo cuando los datos incluyen a investigadores o estudiantes de posgrado en áreas técnicas.
Third, in some cases, states or actors with espionage interests, especially when the data includes researchers or graduate students in technical fields.
That third category is one that doesn't get enough attention.
When you're talking about graduate students in engineering, computer science, biology, a foreign adversary with that contact information is not just thinking about phishing.
They're thinking about recruitment.
Es una preocupación real.
It's a real concern.
El FBI ha documentado casos de actores extranjeros que contactan a estudiantes en universidades estadounidenses precisamente a través de datos robados.
The FBI has documented cases of foreign actors contacting students at American universities precisely through stolen data.
No es ciencia ficción.
It's not science fiction.
Now, ShinyHunters themselves, the attribution question.
We know the name, we know the track record.
But who actually sits behind this group?
Because the answer to that shapes what kind of response is even possible.
Esa es la pregunta difícil.
That's the hard question.
En 2022, las autoridades francesas y estadounidenses arrestaron a personas vinculadas a ShinyHunters.
In 2022, French and American authorities arrested individuals linked to ShinyHunters.
Pero el grupo siguió operando.
But the group kept operating.
Lo que eso nos dice es que ShinyHunters no es una persona ni un equipo fijo, sino una marca, una estructura que puede sobrevivir a detenciones.
What that tells us is that ShinyHunters isn't a person or a fixed team, it's a brand, a structure that can survive arrests.
A franchise model for crime.
Which is genuinely new, historically.
The industrial-scale criminal organization that can lose members and keep going because the knowledge and the tools are distributed.
That's what makes this so hard to prosecute.
Y lo que me parece más grave de todo esto es que las víctimas, los estudiantes y los profesores, no tomaron ninguna decisión que los pusiera en riesgo.
And what strikes me as most serious about all of this is that the victims, the students and teachers, didn't make any decision that put them at risk.
Simplemente usaron la herramienta que su institución les obligó a usar.
They simply used the tool their institution required them to use.
No hay nada que pudieran haber hecho de forma diferente.
There's nothing they could have done differently.
That's the part of this that stays with me.
Every one of my students is in this breach.
They had no say in it.
Canvas wasn't optional.
The university chose Canvas, and now those students are dealing with the consequences of a decision they were never part of.
Por eso es importante hablar de responsabilidad institucional.
That's why talking about institutional responsibility matters.
Las universidades y los colegios necesitan exigir estándares de seguridad más altos a los proveedores que eligen.
Universities and schools need to demand higher security standards from the vendors they choose.
Y los gobiernos necesitan hacer que esos estándares sean obligatorios, no voluntarios.
And governments need to make those standards mandatory, not voluntary.
Hold on, I want to come back to something you said a moment ago, because I noticed you used a specific construction in Spanish and I want to ask you about it.
You said "necesitan exigir." Why not just "deben exigir"?
Is there a difference?
Buena observación.
Good catch.
Las dos funcionan, pero no son exactamente iguales.
Both work, but they're not exactly the same.
"Deber" tiene un matiz más moral, como una obligación ética.
'Deber' has more of a moral nuance, like an ethical obligation.
"Necesitar" habla más de una necesidad práctica, de algo que es imprescindible para que algo funcione.
'Necesitar' speaks more to a practical necessity, something indispensable for something else to work.
So if I say "las universidades deben mejorar su seguridad," that's almost a moral judgment.
And "las universidades necesitan mejorar su seguridad" is more like, this is just practically required for survival.
Exactamente.
Exactly.
Y en el contexto de este tema, yo diría las dos.
And in the context of this topic, I'd say both.
Las universidades deben proteger a sus estudiantes porque es lo correcto, y también necesitan hacerlo porque si no, van a seguir perdiendo la confianza de la gente.
Universities should protect their students because it's the right thing to do, and they also need to do it because otherwise they're going to keep losing people's trust.
That's actually a useful distinction in English too, the difference between 'should' and 'need to.' 'Should' is ethical;
'need to' is existential.
I'll be honest, I didn't expect a cybersecurity story to end with a grammar lesson, but here we are.
Siempre se aprende algo.
You always learn something.
Y lo que espero que la gente se lleve hoy no es solo la noticia, sino la idea de que estos datos no desaparecen.
And what I hope people take away today is not just the news, but the idea that this data doesn't disappear.
Una vez que se han robado, están en circulación para siempre.
Once it's stolen, it's in circulation forever.
Eso debería hacernos exigir más, no solo a Canvas, sino a todos los sistemas que guardan nuestra información.
That should make us demand more, not just from Canvas, but from every system that stores our information.
Two hundred and seventy-five million people who just wanted to submit their homework.
That's the story.
Gracias, Octavio.
Gracias a ti.
Thank you.
Y a la próxima, Fletcher, cuando escribas tu contraseña, asegúrate de que no sea el nombre de tu perro.
And next time, Fletcher, when you type your password, make sure it's not your dog's name.