Instructure said on Tuesday that it had reached an agreement with the cybercrime group ShinyHunters following two breaches that affected the company’s Canvas platform, exposed large amounts of student and staff data, and disrupted schools that rely on the software for coursework and student information management.
ShinyHunters claimed responsibility for the April 29 breach and said it had stolen personal data belonging to 275 million people. The group alleged that it compromised Canvas, the education platform used by nearly 9,000 schools to manage student records, assignments, and communication.
The hackers later breached the company for a second time and defaced Canvas login pages on school websites. According to the report, the second incident was intended to pressure Instructure into paying an extortion demand.
Agreement With Hackers
Instructure said on its incident page late Monday that the agreement included evidence from the hackers showing that the stolen data had been destroyed and that Canvas customers would not face further extortion attempts connected to the incident.
The company stated that there is “never complete certainty” when negotiating with cybercriminals. However, it added that customers should not need to engage directly with the hackers.
Instructure did not disclose the financial terms of the agreement and did not confirm whether a ransom payment was made. Brian Watkins declined to comment beyond the company’s published statement and did not answer questions about the arrangement when contacted on Tuesday.
In a post published on its leak site, which TechCrunch reported it had reviewed, ShinyHunters threatened to release the stolen information publicly if Instructure did not meet its payment demands.
By Tuesday, the listing had been removed from the group’s page, suggesting that an agreement may have been reached.
A representative from ShinyHunters told TechCrunch: “The data is deleted, gone. The company and it’s [sic] customers will not further be targeted or contacted for payment by us.”
Concerns Around Ransom Payments
It remains unclear why Instructure decided to negotiate with the hackers. Governments, including the United States, have repeatedly advised organizations not to pay cybercriminals because ransom payments can support future attacks and criminal operations.
Security researchers have also warned that companies cannot fully verify claims made by cybercriminal groups. Some attackers have previously claimed to delete stolen data while retaining copies for future extortion attempts.
The incident has drawn comparisons to the 2024 cyberattack against PowerSchool, another provider of school information software. That breach affected 70 million students and staff members. PowerSchool paid hackers in exchange for the return of stolen data, but several customers were later targeted by another cybercrime group that possessed data connected to the earlier breach.
Last week, the Federal Bureau of Investigation said it was aware of disruptions affecting schools and educational institutions across the United States. The agency did not specifically name Canvas but advised victims not to send payments or respond to cybercriminal demands.
Data Exposed In The Breach
According to TechCrunch, some of the stolen data included students’ names, personal email addresses, and messages exchanged between teachers and students. The messages reportedly contained private and personal information.
On its website, Instructure acknowledged that hackers breached the company twice within a year. The company said the two incidents were “distinct events” involving different systems.
Instructure added that it is continuing to investigate the breach and validate its findings.
It also remains unclear who oversees cybersecurity operations at the company. TechCrunch reported that when contacted, Instructure did not say whether chief executive Steve Daly planned to resign following the breaches.
Featured image credits: ShareVault
For more stories like it, click the +Follow button at the top of this page to follow us.