Instructure Pays Ransom to Hackers Following Major Canvas Data Breach Amid Congressional Investigation
In a significant development within the education technology sector, Instructure, the company behind the widely used Canvas platform, has confirmed that it paid a ransom to the ShinyHunters cybercriminal group. This decision follows a series of breaches that compromised sensitive information from thousands of educational institutions.
Late on Monday evening, Instructure disclosed its agreement with ShinyHunters, which included the return of stolen data and digital confirmation of its destruction. The company emphasized that no customers would face extortion as a result of this incident, stating, “This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”
Timeline of the Breach
The ShinyHunters group executed two breaches of the Canvas platform within a two-week period. The first breach occurred on May 1, during which they reportedly stole extensive data, including names, email addresses, student IDs, and communications between students and professors. A subsequent attack on May 7 involved defacing the platform with a ransom message, causing significant disruption for users. As a result, millions of students and faculty were unable to access class materials just before final exams.
ShinyHunters claimed to have compromised data from approximately 9,000 Instructure customers and threatened to leak this information unless ransoms were paid by individual institutions by May 12.
Congressional Oversight and Investigation
The decision to pay the ransom coincided with an announcement from the House Homeland Security Committee, which indicated plans to investigate the cyberattack. Representative Andrew Garbarino (R-NY), the committee chairman, sent a letter to Instructure’s CEO requesting a briefing on the incident before May 21. He expressed concern over the implications of the breach for students and educational institutions, emphasizing the need for transparency regarding how educational technology companies manage cybersecurity risks.
Garbarino’s letter outlined several key areas for the briefing, including the circumstances surrounding both breaches, the nature and volume of data accessed, and the adequacy of Instructure’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA). He noted discrepancies between Instructure’s public statements and the scale of the breach as claimed by the attackers.
Implications for Cybersecurity in Education
The repeated breaches within such a short timeframe raise critical questions about Instructure’s incident response capabilities and its obligations to protect the data of educational institutions and individuals. Garbarino highlighted the systemic vulnerabilities that this incident exposes, stating, “The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”
Instructure’s CEO, Steve Daly, issued an apology to customers over the weekend, asserting that Canvas is currently safe to use. He also announced that CrowdStrike and another cybersecurity firm have been engaged to conduct a forensic analysis of the incident and enhance security measures.
FBI Involvement and Student Guidance
The FBI has acknowledged the disruption caused by the breach and has advised students not to respond to any communications from the hackers demanding payment. An FBI spokesperson clarified that receiving messages from ShinyHunters does not necessarily indicate that personal information has been compromised. The agency recommended that individuals await formal guidance from their educational institutions regarding the specifics of the incident and any affected data.
As of Monday, the ShinyHunters leak site was taken offline, suggesting possible action from federal authorities targeting the group. This breach is part of a broader trend, as ShinyHunters has been linked to previous attacks on high-profile companies, including Ticketmaster and AT&T, as well as recent incidents involving educational publishers like McGraw Hill.
Conclusion
The Instructure breach serves as a stark reminder of the vulnerabilities facing educational technology platforms and the critical need for robust cybersecurity measures. As investigations continue, the implications of this incident will likely resonate throughout the education sector, prompting a reevaluation of how institutions manage and disclose cybersecurity risks.
For further details on this incident, refer to the original reporting source: therecord.media.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
