Instructure Reaches Agreement With Hackers Behind Canvas Data Breach

Instructure announced on Tuesday it had reached an agreement with the cybercriminal group ShinyHunters responsible for a data breach involving the Canvas learning platform. The breach resulted in the theft of more than 3.5 terabytes of personal information belonging to about 275 million people.

Those potentially affected included students and staff at about 9000 schools, universities and educational institutions in the United States, Australia, Canada and New Zealand. The stolen data included usernames, email addresses, course names, enrolment information and messages on the learning platform.

Instructure said the agreement led to the data being returned along with digital confirmation that the hackers had destroyed it and an assurance that none of its customers would be extorted as a result of the incident. The company did not explicitly state that money had been exchanged.

ShinyHunters previously claimed responsibility for the breach and called on institutions to negotiate a settlement to prevent the stolen data from being leaked. Cybersecurity consultant Luke Irwin from Brisbane-based Aegis Cybersecurity said people claiming to have knowledge of the situation estimated the payment at US$10 million.

Mr Irwin said the amount was broadly consistent with prior threat actor behaviour.

McGuinness, Australia's National Cyber Security Coordinator, said the federal government would not recommend anyone pay a ransom as cybercriminals cannot be trusted. She stated that making a ransomware payment does not guarantee sensitive data will be recovered nor prevent it from being sold or leaked online.

University of Queensland chair professor of cyber security Ryan Ko said Instructure had displayed a degree of naivety by bending to the whims of cybercriminals. He added that when an organisation pays a ransom the payer would then be put on what is called a sucker list so it is quite likely that more extortions will happen.

University of Canberra associate professor of cyber security Abu Barkat Ullah said it would be a challenge for the organisation to verify that every copy of the stolen data had been deleted. He noted that it is very difficult to know how many copies exist and who may have accessed it.

Australian government agencies discourage companies from paying ransoms warning there is no guarantee it will prevent the leak of information.

The company is now facing scrutiny from the Department of Homeland Security in the United States while multiple lawsuits have been filed against KKR the global investment firm that owns Instructure. The committee that oversees the Department of Homeland Security requested information from Instructure about the data breach.

Andrew Garbarino the chairman of the House Committee on Homeland Security wrote to the company stating that the recurrence of the breach raised serious questions about its incident response capabilities. Mr Garbarino said the scale and timing of the Instructure breach and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion are precisely the kind of systemic vulnerabilities this committee has a responsibility to examine.

He noted that ShinyHunters was a well-documented criminal threat actor with an extensive record of large-scale data theft and extortion targeting major organisations including Ticketmaster and AT&T. The initial data breach was believed to have occurred when unauthorised activity was detected in Canvas on April 29.

A second intrusion took place on May 7 which resulted in messages from the hackers being displayed on the accounts of Canvas users. This led to the platform being taken down to allow Instructure to contain and investigate the activity disrupting the learning of many students around the world.

Instructure said it had notified law enforcement about the data breach including the Federal Bureau of Investigation the US Cybersecurity and Infrastructure Security Agency and international partners. Officials in Australia are working with various government agencies to determine the impact of the breach and support their response while also working to improve cyber security within the higher education and research sector.

A survey of 1,000 people released by Australian law firm HSF Kramer in March found more than 55 per cent of respondents had their data stolen in the past 12 months. While the respondents were split on how concerning they found the breaches 52 per cent said ransoms by criminal groups should never be paid compared to just 9 per cent who felt organisations should pay up every time.