Canvas Learning Management System maker Instructure has come to terms with the cybercriminal extortion group responsible for data stolen in last month’s breach affecting nearly 9000 educational institutions.
In an incident update, the Utah-based education technology firm said it had “reached an agreement with the unauthorized actor involved in this incident.”
The company has not stated whether money exchanged hands, though the attackers, understood to be the ShinyHunters collective, typically extorts victims into Bitcoin payments via encrypted negotiations.
Data Returned
Instructure said the arrangement covers all affected customers and individual institutions do not need to engage with the attackers.
The stolen data has reportedly been returned, and the company has received what it described as digital confirmation of its destruction, alongside assurances that no Instructure customer will be separately extorted.
The firm acknowledged the inherent uncertainty of dealing with cybercriminals but said it had taken every step within its control to reassure customers.
Read more on the Canvas extortion campaign: ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign
Notably, engaging with ransomware groups runs counter to law enforcement guidance globally and offers no guarantee that exfiltrated data has actually been destroyed.
Phishing Risk Outlasts the Settlement
The original breach exploited an undisclosed flaw concerning support tickets in the Free-For-Teacher version of Canvas, allowing attackers to siphon about 275 million records.
Stolen fields included usernames, email addresses, course names, enrollment information and messages, though Instructure has stressed that course content, submissions and credentials were not compromised.
A second wave on May 7 saw attackers deface Canvas login portals at roughly 330 institutions with extortion messages, setting a May 12 deadline for negotiation.
Researchers at Halcyon, the cybersecurity firm tracking the campaign, warned that the leaked records could be used to “impersonate school administrators, IT support or financial aid offices” in follow-on attacks.
Even with stolen data ostensibly returned, Halcyon urged affected institutions to issue phishing advisories and direct communications to staff, students and parents without delay.
Instructure has temporarily shut down Free-For-Teacher accounts, revoked privileged credentials and access tokens for affected systems, rotated internal keys and deployed additional security controls.
The company said it is also working with forensic vendors and conducting a comprehensive review of the exposed data.
