Instructure has paid a ransom to a hacker who has hacked the company’s learning management system, Canvas, twice in the past week and a half.
According to an update published by the academic firm on Monday night, the agreement means that the hackers recovered the vulnerable information of about 275 million users at more than 8,800 institutions.
The company—whose LMS is used to deliver courses in 41 percent of higher education institutions in North America—said it had “received digital verification of data destruction (activated logs)” and assurances “that no Instructure customers will be defrauded as a result of this incident, publicly or otherwise.” It added that the deal “covers all affected Instructure customers” and that individual customers “have no need” to contact ShinyHunters, the hacker group that has hacked and disabled Canvas twice so far this month.
“While there is no absolute certainty when dealing with cybercriminals, we believe it was important to take all the steps we can to provide customers with as much peace of mind as possible,” the company wrote. “We continue to work with specialist vendors to support our forensic analysis, strengthen our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.”
Although the company did not disclose the amount of the deal, it was reached one day before the May 12 ransom deadline set by ShinyHunters. The group is also linked to recent data breaches at the University of Pennsylvania and Princeton and Harvard University.
ShinyHunters’ intrusion into Canvas has caused major service disruptions. The group warned Instructure to pay up if it didn’t want all that user data—including names, email addresses and student ID numbers—leaked.
“Several billions of private messages between students and teachers and students and other students involved, containing personal conversations and more.” [personal identifying information],” ShinyHunters wrote in a ransom note published on May 3 by the website Ransomware.live, which tracks and monitors victims of ransomware groups and their work. [digital] problems you will face.” It warned the company to “make the right decision” to avoid becoming “the next topic.”
While Instructure appears to be ignoring those demands, it has faced security issues, and Canvas was fully functional as of last Tuesday, May 5.
But that didn’t stop hackers from starting big headlines later in the week. On Thursday, Canvas users—many preparing for final exams and completing end-of-semester assignments—were unable to access their accounts again. Instead, all they saw was a message from the hackers.
“ShinyHunters broke Instructure (again). Instead of contacting us to fix it they ignored us and made ‘security patches,'” the message read. “If any of the schools on the affected list are interested in preventing the release of their data, please contact an online consulting firm and contact us confidentially at TOX to discuss an agreement.” They gave the institutions and Instructure a deadline of May 12.
According to ShinyHunters, Instructure ignored their original ransom demands.
“Academics did not even bother to talk to us to understand the situation or even to negotiate with us to prevent the release of this data. Our demand was not as high as you might think,” reads one version of the gang’s ransom note posted on RansomLook, a website that tracks computer crime. “The company does not seem to care about all the affected students and institutions affected by this data breach.”
In response, many universities are postponing exams and project deadlines as they wait for Canvas to resolve the issue. And over the weekend, Instructure CEO Steve Daly promised to handle hacking differently the second time around.
“Last week, we made a call to correct the facts before speaking publicly. That thinking is not wrong, but we found the wrong balance. We focused on finding the facts and remained silent when you needed consistent updates,” he wrote in an update on the company’s website. “That’s clear, and it’s the right answer. We’ll change that going forward.”
Apparently, Instructure has also opened communication with hackers. On Monday afternoon, it reported on its website that “all Canvas locations are available.”
