Hackers behind the Canvas breach have reached a deal with Instructure after claiming they stole data tied to nearly 9,000 schools and 275 million individuals.
The Canvas parent company said it reached an agreement with the unauthorized actor behind the breach, which disrupted schools and universities during finals season. Instructure emphasized that the deal was meant to stop further publication or extortion. The company said the stolen data was returned and destroyed, though it acknowledged there is no way to verify that every copy was fully deleted.
Instructure says stolen data was returned
âInstructure reached an agreement with the unauthorized actor involved in this incident,â the company said in its incident update.
As part of that agreement, Instructure said the data was returned, that it received digital confirmation of data destruction through âshred logs,â and that no Instructure customers would be extorted as a result of the incident.
Instructure has not confirmed whether it paid the hackers. The company noted that the agreement returned the stolen data and included digital confirmation that remaining copies were destroyed.
Still, the terms of the deal remain unclear. Financial terms were not disclosed, and the removal of ShinyHuntersâ leak-site listing indicated a ransom may have been paid, according to TechCrunch.
âThe data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us,â a ShinyHunters representative told Reuters.
âWhile there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,â Instructure said.
Exposed data included messages and emails
Instructure emphasized that the incident involved unauthorized access to part of its environment. The affected data fields included usernames, email addresses, course names, enrollment information, and messages.
Instructure added that core learning data, including course content, submissions, and credentials, was not compromised. âCanvas by Instructure is fully operational and remains safe to use,â the company highlighted.
According to The Associated Press, the breach appeared to involve student ID numbers, email addresses, names, and Canvas platform messages, citing earlier comments from Instructure Chief Information Security Officer Steve Proud.
Must-read security coverage
Schools face follow-up questions
Instructure said it identified a vulnerability in its Free for Teacher support tickets that was exploited. The company temporarily disabled Free for Teachers while it conducts a full security review.
TechCrunch noted that ShinyHunters claimed to have breached Instructure twice, first in the April 29 data breach and again the following week, when the hackers defaced Canvas login pages on school websites.
Instructure clarified that the two breaches were âdistinct eventsâ involving different systems.
Reuters said the House Homeland Security Committee asked Instructure CEO Steve Daly for a briefing on the companyâs response, the nature and amount of data stolen, and coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency.
For schools and universities, the practical work now shifts to follow-up and monitoring. Instructure advised students, parents, and employees to contact their own schools or institutions for situation-specific guidance and to be cautious of unexpected emails or messages.
For more context on the breachâs potential scale, read our earlier coverage of the Canvas breach.
Read the full article here
