Instructure strikes deal with hackers who breached it twice

Instructure, the maker of the Canvas school information platform, has reached an agreement with the hackers who breached its systems twice, according to the company’s statement on Tuesday. The hackers, identified as ShinyHunters, claimed to have stolen data affecting hundreds of millions of students and staff, and had used the breaches to pressure the company into paying a ransom. The deal reportedly includes the hackers providing evidence that the stolen data was destroyed, although the financial terms remain undisclosed.

On Tuesday, Instructure confirmed that it had negotiated an agreement with ShinyHunters, a cybercrime group responsible for two separate breaches of its systems within less than a year. The first breach, in April, involved the theft of data from approximately 275 million individuals, including students and staff, with the hackers claiming to have stolen personal information such as names, email addresses, and private messages exchanged on the platform. The second breach, last week, saw the hackers deface Canvas login pages on school websites, escalating pressure on the company to meet extortion demands.

Instructure’s statement indicated that, as part of the agreement, the hackers had provided evidence that the stolen data was destroyed and that the company’s customers would not be extorted further. The company did not disclose whether it paid a ransom or the amount involved. The hackers’ leak site previously threatened to publish the stolen data if demands were not met, but the listing was removed Tuesday, suggesting a ransom may have been paid. A ShinyHunters representative confirmed to TechCrunch that the data was deleted and that the group would cease further contact or threats.

Why It Matters

This development is significant because it highlights ongoing cybersecurity risks faced by educational institutions and the potential for data breaches to disrupt school operations and compromise sensitive information. The fact that hackers successfully breached Instructure twice within a year underscores vulnerabilities in the platform’s security measures. The decision to negotiate and potentially pay a ransom raises questions about best practices for responding to cyber extortion, especially given warnings from U.S. authorities advising against ransom payments to discourage incentivizing cybercriminals.

Background

Instructure’s breaches follow a pattern seen in similar incidents affecting educational technology providers, such as PowerSchool, which paid hackers after a massive data breach affecting millions of students and staff. The FBI and U.S. government agencies have issued warnings advising victims not to pay ransoms, citing risks of continued extortion and data misuse. The involvement of ShinyHunters, a known financially motivated hacking group, underscores the persistent threat posed by organized cybercrime targeting sensitive data in the education sector.

Instructure acknowledged the breaches publicly, noting that the two incidents involved different systems and were “distinct events.” The company is still investigating the breaches, and it remains unclear who within Instructure is responsible for cybersecurity oversight. The CEO, Steve Daly, has not commented on whether he intends to resign amid the incidents.

“We have reached an agreement with the hackers, and they have provided evidence that the stolen data has been destroyed.”

— Instructure spokesperson Brian Watkins

“The data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.”

— ShinyHunters representative

“Victims should not send payment or respond to extortion demands.”

— FBI statement

What Remains Unclear

It is not yet clear whether Instructure paid a ransom or if the hackers’ claim of data destruction is verified independently. The specifics of the financial agreement, if any, remain undisclosed. Additionally, the full scope of the data affected and whether other security measures have been implemented are still unknown. The responsibility for cybersecurity oversight within Instructure has not been clarified, and the potential impact on user trust is uncertain.

What’s Next

Instructure is expected to continue its investigation into the breaches and may implement additional security measures. The company might also issue further statements or updates regarding its cybersecurity strategy. Regulatory agencies could scrutinize the incident, and affected schools may review their data security protocols. Monitoring of the hackers’ activity and potential future threats remains a key concern for stakeholders.

Key Questions

Did Instructure pay a ransom to the hackers?

It has not been officially confirmed whether Instructure paid a ransom. The removal of the hackers’ leak site listing suggests a ransom may have been paid, but the company has not disclosed specific details.

What data was stolen in the breaches?

The stolen data reportedly includes students’ names, personal email addresses, and private messages exchanged between teachers and students. Some of this data has been reviewed by TechCrunch.

Will this affect the security of Canvas moving forward?

Instructure has stated it is investigating the breaches and is likely to enhance its security measures. The full impact on platform security remains to be seen.

Are other schools or platforms at risk?

Given the pattern of attacks on education technology providers, other schools and platforms may also be at risk. Authorities continue to warn against paying ransoms and recommend strong cybersecurity practices.