Crisis averted?
Edtech giant Instructure, maker of the popular learning management system (LMS) Canvas, announced that it made a deal with the hacking collective known as ShinyHunters to safeguard the user data the group stole during the recent Instructure data breach.
According to Instructure CEO Steve Daly, ShinyHunters has agreed not to release the stolen data taken in the breach and will not extort any of Canvas’s users.
Instructure had its systems breached not once but twice by the hacking collective known as ShinyHunters over the past two weeks. On April 30, the cybercriminals said they were able to extract data belonging to 275 million Canvas users at nearly 9,000 schools worldwide. The affected users included students, teachers, and staff, and the data included usernames, email addresses, student IDs, and private messages exchanged on the platform. Some of Instructure’s impacted users are underage students.
Then, in a second incident last week, ShinyHunters defaced the Canvas login pages for numerous schools due to a weakness in the platform’s Free-For-Teacher accounts.
The data breaches resulted in Canvas being taken offline multiple times. What’s worse, these incidents happened to coincide with finals week for many schools, and the platform downtime resulted in some educational institutions having to reschedule tests and coursework.
ShinyHunters had threatened to release the stolen data if Instructure did not “negotiate a settlement” and pay a ransom by May 12.
Mashable Light Speed
Instructure and ShinyHackers strike a deal
On Monday, Instructure announced that it had struck a deal with ShinyHunters, seemingly giving in to at least some of the hackers’ demands.
“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers,” Daly said in a statement posted to the Instructure website. “We understand how unsettling situations like this can be, and protecting our community remains our top priority. With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident.”
Instructure said the agreement with ShinyHunters required that the hackers return the stolen data. The company also said that it received “digital confirmation of data destruction” in the form of shred logs.
Finally, the company says it received an agreement from ShinyHunters that individual customers will not be extorted with the stolen data from the Instructure breach. The Canvas-maker says that the agreement that the company made with the hackers “covers all impacted Instructure customers.”
“There is no need for individual customers to attempt to engage with the unauthorized actor,” Instructure said in its statement.
Instructure didn’t share details regarding any sort of monetary arrangement with ShinyHunters. The company also acknowledged that the deal was struck with a party that cannot necessarily be trusted and may not hold up their end of the deal.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Daly said. “We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.”
Instructure says that students, teachers, and other customers affected by the breach can visit the incident response page for further updates.
