Instructure, the company behind the Canvas learning management platform, says it has “reached an agreement” with hackers that breached its systems last week to prevent stolen data from being leaked online.
The ShinyHunters hacking group claimed responsibility for the attack before Canvas was briefly taken offline. The group threatened to publish 3.5 terabytes of student data if ransom demands for a “settlement” weren’t met. Now, Instructure says the stolen data has been returned as part of its unspecified “agreement” with the hackers, alongside a promise that “no Instructure customers will be extorted as a result of this incident.”
“We understand how unsettling situations like this can be, and protecting our community remains our top priority,” Instructure said in its latest statement. “With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident.”
Instructure doesn’t explicitly say that it paid ShinyHunters, but this update certainly suggests as much. Ransom payments can go toward funding further ransomware attacks, and there’s no guarantee that the hacking group will uphold its side of the bargain. Instructure said it had received proof that the stolen data had been destroyed (which begs the question of how that data was also “returned”), and that its agreement covers all customers impacted by the breach.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible. We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved.”
Most Canvas systems have since been restored, and Instructure is planning to share more information about the attack in a webinar tomorrow. Last week, Instructure said hackers had exploited Free-For-Teacher accounts to breach its systems and responded by temporarily shutting down those accounts. Instructure has not announced when access to Free-For-Teacher accounts will be restored.
