‘Agreement’ with hackers resolves data breach on Canvas learning platform
Instructure, the education technology company behind the online learning platform Canvas, has reached an “agreement” with the hackers who took its systems offline last week, disrupting final exams and causing alarms about the exposure of students’ personal data across the country.
In a statement, Instructure said the hacker group, which it referred to as “the unauthorized actor,” returned the data it stole during its ransomware attack, destroyed its own stolen copy and promised not to extort the company’s customers.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company wrote. “We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.”
The statement comes after the decentralized cybercrime group known as ShinyHunters took credit on April 29 for the hack of Canvas, a platform used by more than 30 million people from more than 8,000 schools to manage grades, assignments and communications between educators and students.
The hackers claim to have stolen more than 3.6 terabytes of data that included personal information on 275 million people from 8,809 school systems during the attack. Instructure said following the breach that students’ names, email addresses, student ID numbers and communications from the platform had been stolen.
ShinyHunters later defaced Canvas login portals last Thursday with a warning that the stolen data would be leaked if Instructure did not pay a ransom.
The defacement and disruption came as students were preparing for finals. Although the service was restored later that day, numerous schools were forced to reschedule exams.
While Instructure did not explicitly say money was exchanged, the agreement suggests that a ransom was part of the deal. ShinyHunters’ leak site has also removed its listing about Instructure.
“The data is deleted, gone,” a representative for ShinyHunters said in a statement to TechCrunch. “The company and it’s [sic] customers will not further be targeted or contacted for payment by us.”
The FBI has long advised against paying ransoms to hackers.
“Paying a ransom doesn’t guarantee you or your organization will get any data back,” the FBI says. “It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
Instructure said a webinar that will provide students and educators with further information about the hacks is expected to take place Wednesday.
Round out your reading
- Are aliens real? Pentagon’s newly released UFO files suggest the truth is out there.
- A million Americans get this knee surgery every year. But does it work?
- Is the apocalypse now? One man is tracking flights by the rich to find out.
- ‘No Mow May’: A boon for the bees or a well-intended mistake?
- We’re building a new Straight Arrow. Help us shape our future by taking our survey.
Ella Rae Greene, Editor In Chief
