When education software giant Instructure announced on May 1 that its widely used Canvas software was unavailable as it investigated a data security incident, it suggested the breach was mostly contained. That turned out to be overly optimistic.
While the firm posted updates on its site as its services returned to service, the ShinyHunters group that attacked them continued to issue threats to leak data from thousands of schools and millions of students.
On May 7, in the middle of Finals week at many schools throughout the nation, ShinyHunters attacked Instructure again, defacing some schools’ Canvas login pages and requiring Instructure to take down its infrastructure.
With students and schools stressed out and schools changing final exams and assignment deadlines, Instructure did what it hadn’t done before: it agreed to pay ShinyHunters to get the data deleted and the attacks to stop.
On its incident update page, the firm posted a May 11 update:
We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.
With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:
- The data was returned to us.
- We received digital confirmation of data destruction (shred logs).
- We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
- This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible. We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.
We are currently organizing a webinar with Instructure leadership to detail information about the cyber attack and our activities to harden the system. We currently believe it will be on May 13 and will be done in multiple time zones.
Please continue to reference https://www.instructure.com/incident_update for the latest information from us.
