Company behind Canvas makes deal with hackers; Says stolen data was destroyed
Instructure, the parent company of the hacked education platform Canvas, has reached an agreement with ShinyHunters, the hacker group that broke into its system and accessed university and student data last week. Instructure says that the stolen data has been destroyed. It did not say whether it paid the ransom the hackers demanded.
“As part of the agreement, the data was returned to us. We received digital confirmation of data destruction (shred logs). We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” Instructure said. The company said that the agreement covers all impacted Instructure customers, and no individuals need to engage with the hackers.
Last week, Instructure announced that hackers had stolen the data of 275 million lecturers, teachers, and students through its Canvas platform. Schools and universities, including many in the Netherlands, use the Canvas software for communication between teachers and students, such as submitting assignments and viewing grades. The stolen data included student numbers, names, email addresses, course names, enrollment information, and messages.
Several days after the initial attack, ShinyHunters again accessed the Canvas platform and posted a message, taunting Instructure for trying to keep them out with security patches instead of contacting the hackers to resolve the matter. ShinyHunters set a new deadline for reaching a deal, or they would publish the stolen data. That was today, May 12.
Instructure did not say whether it paid the ransom the hackers demanded. ShinyHunters is the same group behind a major hack at telecom provider Odido. There, they stole data of 6.2 million current and former Odido customers, and published all the data when Odido refused to pay the ransom.
In the Netherlands, multiple universities and universities of applied sciences use Canvas. It is unclear whether all of them were affected by the hack, but various institutions have issued warnings to their students and staff to be wary of online scams.
Instructure apologized to its customers. “Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that.”