Deal reached with hackers to delete data stolen from the Canvas educational platform
The company that operates the Canvas online learning system said it reached a deal with hackers to delete data they stole in a cyberattack that wreaked havoc for students, many of whom were taking finals.
Instructure, Canvas’ parent company, said in an online post that it “has reached an agreement with the unauthorized actor involved in this incident.”
The company provided no details about the deal, including whether it involved payment, and did not say who was behind the hack. Instructure temporarily took the system offline during its investigation, blocking student and faculty access.
A hacking group named ShinyHunters claimed responsibility for last week’s breach, threatening to release data involving nearly 9,000 schools worldwide and 275 million people if the schools did not pay a ransom by May 6. The group later extended the deadline, saying some schools had entered into negotiations with them.
ShinyHunters was also behind a smaller infrastructure breach last year. A lawsuit filed last week in federal court in Utah alleges that Instructure didn’t do enough to protect the platform used by millions of students and became “easy prey for cybercriminals.”
As part of the agreement, the data was returned to Instructure. The company said on Monday it had also received “digital confirmation” that the hackers had destroyed all remaining copies, in the form of “shredding logs.”
The company acknowledged there was no way to be sure the data was permanently erased and said it took action because of concerns about the potential publication of the data.
“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to provide customers with additional peace of mind, wherever possible,” Instructure said.
Cybersecurity experts were skeptical that the attack would end. Cynthia Kaiser, former deputy director of the FBI’s cyber division, said the reported deal suggests a ransom was likely paid.
“What victims need to understand is that payment does not end the threat,” Kaiser, now senior vice president of the Halcyon Ransomware Research Center, said in a written statement. “Stolen data will be used against customers and users for as long as it remains profitable.”
The data breach appears to involve student ID numbers, email addresses, names and messages on the Canvas platform, Steve Proud, Instructure’s chief information security officer, said earlier this month. The company found no evidence that passwords, dates of birth, government credentials or financial information were compromised, it said.
The company said it was working with “expert vendors” to perform forensic analysis, “further harden” its systems and conduct a “full review of the data involved.”
The disruption caused panic last week among students and faculty members when they were locked out of a platform they rely on to manage grades and access course notes and assignments.
Schools and universities use Canvas to manage almost every aspect of education. The platform serves as a gradebook, a platform for digital lectures and course materials, a discussion forum for in-class projects, and a messaging platform between students and instructors.
Some courses also offer quizzes and exams on the platform, or use it as a portal where final projects and papers are submitted on time.
___
Heather Hollingsworth contributed to this report.
