Disaster averted?
Edtech giant Instructure, maker of the popular learning management system (LMS), Canvas, announced that it has made a deal with a hacking group known as ShinyHunters to protect the user data that the group stole recently. Order data breach.
According to Instructure CEO Steve Daly, ShinyHunters have agreed not to release the stolen information obtained in violation of the law and will not defraud any Canvas users.
Instructure has had its systems breached not once but twice by a hacking group known as ShinyHunters in the past two weeks. On April 30, hackers said they were able to extract the information of 275 million Canvas users from about 9,000 schools around the world. Affected users include students, teachers, and staff, and the data includes usernames, email addresses, student IDs, and private messages exchanged on the platform. Some of Instructure’s affected users are young students.
Then, in a the second incident last week, ShinyHunters defaced Canvas login pages for several schools due to vulnerabilities in Free To Teach platform accounts.
The data breach has caused Canvas to be taken offline multiple times. What’s worse is that these incidents are happening coincides with finals week in many schools, and the failure of the platform has caused some educational institutions to reschedule exams and coursework.
ShinyHunters threatened to release the stolen data if Instructure “negotiates a settlement” and pays the ransom on May 12.
Mashable Light Speed
Instructure and ShinyHackers struck a deal
On Monday, Instructure announced that it had struck a deal with ShinyHunters, which appears to accommodate at least some of the hackers’ demands.
“We know that concerns about the publication of data related to this incident remain on the minds of many customers,” said Daly in a statement posted on Instructure’s website. “We understand how devastating situations like this can be, and protecting our community remains our top priority. With that responsibility in mind, Instructure reached a settlement with the unauthorized actor involved in this incident.”
Instructure said the deal with ShinyHunters required the hackers to return the stolen data. The company also claimed to have found “digital verification of data destruction” in the form of cracked logs.
Ultimately, the company says it got an agreement from ShinyHunters that individual customers will not be defrauded of data stolen in the Instructure breach. The Canvas maker says the settlement the company made with the hackers “covers all affected Instructure customers.”
“There is no need for customers to attempt to communicate with an unauthorized actor,” Instructure said in its statement.
Instructure has not disclosed any kind of financial arrangement with ShinyHunters. The company also admitted that the deal was made with a party that could not be trusted and that may not determine its fate.
“While there is no absolute certainty when dealing with cybercriminals, we believe it was important to take all the steps we can to give customers as much peace of mind as possible,” Daly said. “We continue to work with specialist vendors to support our forensic analysis, strengthen our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work continues.”
Instructure says students, teachers, and other customers affected by the breach can visit the incident response page for additional updates.
