ITS is addressing security issues associated with the online tool Canva (https://Canva.com). Our security staff was notified of security breaches in late 2021 and are aware that several agencies have been using Canva in day-to-day operations. Please be assured ITS has continued to work towards a resolution on this issue.
Background
Canva is a graphic design program used to create social media graphics, presentations, posters, documents, and other visual content. Late 2021, Canva’s website and services were hacked/breached by malicious actors who harvested (stole) credentials inside Canva to gain access to Canva customer’s systems.
Response
The ITS security team had to act on several attempts by hackers trying to gain access to Idaho systems and credentials. The ITS network and security operations teams were able to thwart these attempts and immediately began working with the Canva team to resolve the hacking issue on Canva’s end. The team also wanted to make sure Idaho systems would not be targeted with further attempted hacks.
ITS attempted to work with the Canva team to resolve this issue, but attempts to communicate with the Canva security team have not been successful, and their security team has been non-responsive.
Because ITS has not been able to resolve this issue or mitigate the risks that using the Canva platform poses, ITS management and security engineers made the decision to block and lock down all access to the Canva website. This act will help minimize further risk and exposure to our systems from hackers and will protect the Idaho State Network agencies/customers who were exposed to the original hacking attempt.
Current Status
Presently, ITS is advising all Canva users to utilize other tools that can help create the same products and continue with day-to-day projects and tasks.
One of the recommended tools is Adobe Express. As many agencies are participating in the Adobe Enterprise Term License Agreement (ETLA), this product is available for your agency to use. However, if you have questions about your agency’s contract, involvement, or usage, please reach out to our Adobe Rep/Software Architecture Engineer, Chris Carlisle, to assist in the transition.
Follow Up
We apologize for any inconvenience this poses, but based on the fact these malicious actors have already proven they can “phish” their way into gaining credentials and access to State systems, ITS determined it is in Idaho’s best interest to continue to block access to the Canva site for all agencies and entities.