Education technology company Instructure has confirmed it paid a ransom to hackers who breached its Canvas learning management system twice in less than two weeks, compromising data from 275 million users. Canvas is used by almost 9,000 schools ranging from grade schools to universities.
Inside Higher Ed reports that Instructure announced Monday night that it reached an agreement with the cybercriminal group “ShinyHunters,” which had infiltrated the company’s widely-used Canvas learning management system on two separate occasions this month. The ransom payment, whose exact monetary value was not disclosed, secured the return of compromised personal data and assurances that affected customers would not face further extortion.
The breach impacted approximately 275 million users including teachers and students across more than 8,800 educational institutions. Canvas is used by 41 percent of higher education institutions in North America to deliver online courses, making it one of the most widely adopted learning management platforms in the region.
According to Instructure’s statement, the company received digital confirmation of data destruction in the form of shred logs from the hackers. ShinyHunters also provided assurance “that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” The agreement covers all impacted Instructure customers, and the company indicated that individual institutions have no need to engage directly with the extortionist group.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company wrote in its update.
The ransom was paid one day before ShinyHunters’ Tuesday deadline. The cybercriminal group, which has also been linked to recent data breaches at the University of Pennsylvania, Princeton University, and Harvard University, had warned Instructure of serious consequences if payment was not made.
The compromised data included names, email addresses, and student identification numbers. In a ransom letter published May 3 on the web, ShinyHunters claimed the breach involved “several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information].” The group initially demanded that Instructure make contact by May 6, warning the company to “make the right decision” to avoid becoming “the next headline.”
Instructure initially appeared to ignore these demands, instead focusing on addressing security vulnerabilities. Canvas was restored to full operational status by Tuesday, May 5. However, this resolution proved temporary.
By Thursday of the same week, Canvas users found themselves locked out of their accounts again during a critical period when many were preparing for final exams and completing end-of-semester assignments. Instead of accessing their coursework, users were confronted with a message from the hackers.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches,’” the message read. The hackers offered individual schools the opportunity to negotiate settlements privately and imposed a new deadline of May 12 for resolution.
In a ransom letter posted to the web, ShinyHunters expressed frustration with Instructure’s initial response. “Instructure has not even bothered speaking to us to understand the situation or to even negotiate with us to prevent the release of this data. Our demand was not even as high as you might think it is,” the group wrote. “The Company seemingly does not care about all the students affected and the institutions impacted by this data breach.”
The second breach forced many universities to postpone examinations and extend deadlines for final projects as they awaited resolution of the service disruption.
Over the weekend, Instructure CEO Steve Daly acknowledged the company’s communication failures in handling the crisis. “Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates,” he wrote on the company’s website. “You’ve been clear about that, and it’s fair feedback. We will change that moving forward.”
The company evidently opened communication channels with the hackers following Daly’s statement. By Monday afternoon, Instructure reported that all Canvas environments were available and accessible to users.
The company stated it continues to work with expert vendors to support forensic analysis, strengthen its security infrastructure, and conduct a comprehensive review of the data involved in the breach. Instructure has committed to providing ongoing updates as this work progresses.
Read more at Inside Higher Ed here.
Lucas Nolan is a reporter for Breitbart News covering issues of AI, free speech, and online censorship.
Read the full article here