A cyberattack compromising student data at nearly 9,000 schools has been resolved, ending the chaos that upended finals season for many students.
As of Monday, Instructure, the company behind Canvas LMS, announced it reached an agreement with “the unauthorized actor” responsible for the attack. The company did not disclose the details of the agreement, but ensured that the stolen data was returned and that no customers would be extorted by the hackers.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company said .
However, paying ransom can create dangerous feedback loops as hackers are effectively rewarded for successful breaches, argues Cliff Steinhauer, director of information and security engagement at the National Cybersecurity Alliance.
“Even if organizations believe they are ‘resolving’ the immediate crisis, it reinforces the economic incentive structure behind cyber extortion and signals to threat actors that targeting large education platforms, or any critical service, can be profitable,” Steinhauer said.
It also normalizes paying ransom as a viable incident response strategy, which law enforcement consistently warns against, he adds.
Such a large-scale attack reveals the capabilities of high-level hacker groups and the importance of shielding vulnerable security networks. Instructure CEO Steve Daly issued a public apology for putting confidential data at risk.
“I’ll start where I should: with an apology,” Daly said. “Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that.”
About the attack
Instructure disclosed the breach on April 30, confirming that email addresses, ID numbers, and private messages across thousands of institutions worldwide had been compromised.
ShinyHunters, the extortion group that claimed responsibility for the attack, stole 3.65 terabytes of data belonging to 275 million individuals.
The hacker group initially set a ransom deadline of May 6, four days after Instructure said the . When the deadline passed without payment, ShinyHunters doubled down by adding extortion messages onto the Canvas login pages of more than 300 institutions and executing school-by-school extortion tactics, pushing the deadline to May 12, according to .
The added pressure forced the company to take Canvas offline, interrupting school work and access to the system nationwide.
The University of Tennessee at Knoxville postponed final exams during the interruption, asking professors to be “flexible and accommodating” for students, Knoxville News Sentinel.
“This event impacted education institutions across the country at the busiest time of the year,” Provost John Zomchick said in a university-wide email.
North Carolina’s Charlotte-Mecklenburg Schools disabled Canvas access and conducted an internal security review out of an abundance of caution to protect student and staff data, Carolina Public Press .
More from 91心頭: Colleges, K12 are pioneering new models to address workforce needs
