American EdTech Company Instructure Pays Ransom to Cybercriminals
Instructure, the parent company of Canvas, an American educational technology company, has confirmed that it paid a ransom to a cybercrime group after suffering a network breach. The hackers threatened to leak stolen information from thousands of schools and universities.
The Utah-based firm stated that it reached an agreement with the unauthorized actor involved in the breach due to concerns about potential data publication. As a result of the agreement, all impacted customers have been covered, and the stolen data was returned to Instructure, along with proof of data destruction. The company assured that none of its customers will be separately extorted following the hack.
Despite the controversial decision to pay the ransom, Instructure believed it was necessary to give customers peace of mind. The company is now working with expert vendors to enhance its cybersecurity measures and conduct a thorough review of the compromised data.
The breach, orchestrated by the ShinyHunters extortion crew, targeted Canvas, a popular web-based learning management system, resulting in the theft of 3.65TB of data from nearly 9,000 organizations. The attackers exploited a vulnerability related to support tickets in the Free-for-Teacher environment to gain access and exfiltrate millions of records containing user information.
Following the breach, Instructure took immediate action by temporarily shutting down Free-For-Teacher accounts and implementing additional security controls. While course content, submissions, and credentials were not compromised, the stolen data could potentially be used for targeted phishing attacks against students, staff, and parents.
Halcyon, a cybersecurity expert, warned that the leaked records could be used for impersonation and phishing campaigns, urging affected institutions to issue advisories and communicate with their communities to prevent further attacks.
