(Instructure)
The company behind online education platform Canvas is indicating that it paid the hackers behind last Thursday's disruption in exchange for deleting the stolen data.
CEO Steve Daly disclosed that Instructure "reached an agreement" with the hackers that also included ending all extortion threats against Canvas customers. “As part of that agreement: The data was returned to us. We received digital confirmation of data destruction (shred logs). We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” he wrote.
Daly did not explicity say that Instructure paid a ransom. However, the collective reaction from many cybersecurity experts is, "They paid."
That decision will no doubt face controversy. Although Instructure will justify the move as protecting its customers, the company is nevertheless funding a notorious cybercriminal gang that preys on the IT sector. In recent weeks, ShinyHunters has been responsible for breaches at ADT, Vimeo, Rockstar Games, and dozens of other firms listed on the gang’s website.
Still, Instructure likely had another incentive to settle. The agreement might defuse the class-action lawsuits piling up against the company, which are demanding damages stemming from the outage and the loss of Canvas data. ShinyHunters previously boasted of stealing data from 275 million people across nearly 9,000 universities, colleges, and school districts. That included usernames, email addresses, course names, enrollment information, and Canvas messages, which could reveal personal and private conversations between students and teachers.
So far, ShinyHunters has refused to elaborate on the attack. But the gang did go out of its way to say affected schools won't face continued extortion. "If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved," ShinyHunters wrote in an update. "The Company and it's customers will not further be targeted or contacted for payment. The data is nonexistent."
(ShinyHunters)Even so, there’s no guarantee that the hackers didn’t keep a copy of the stolen information to quietly sell to other cybercriminals.
Instructure also conceded that point. “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Daly said. “We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.”
In the meantime, Instructure is also facing a Congressional inquiry. House Homeland Security Committee Chairman Andrew Garbarino (R-NY) is demanding a briefing on the hack. He also flagged how Instructure failed to initially fend off the hackers when the company first detected a potential intrusion days earlier, prior to last Thursday’s outage.
“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” Garbarino wrote in a Tuesday letter to Daly.
Daly has said the attack was traced to a “vulnerability” involving support tickets for a free version of Canvas for teachers. The ShinyHunters gang is known for using English-language voice calls and impersonation to phish company employees into giving up internal access.