The hacking group that targeted the Canvas education tool reached an agreement with the parent company that owns the software to protect stolen student and school data, the company said in a statement late Monday.
The company said in a statement posted on its website that it “has reached an agreement with the unauthorized actors involved in this incident.” As part of the agreement, all data was returned to the company, the company received digital confirmation of the data’s destruction, and the company was informed that “Instruct customers will not be subject to extortion, public or otherwise, as a result of this incident.”
The agreement covers all affected Instruct customers and “individual customers do not need to attempt to engage with unauthorized actors,” the statement said. Reuters reported on Friday that schools and organizations whose data had been hacked were contacting the group to try to prevent their data from being compromised.
A representative of ShinyHunters, the group that claimed responsibility for the breach, said in a message to Reuters, “The data has been deleted and disappeared. We will not target or contact the company and its customers for further payments.”
The representative declined to answer specific questions about the agreement.
To pay or not to pay
Kurtis Minder, a ransomware negotiator, said it was “fair to conclude that some money has been sent.”
The decision whether to pay can be complex and depends on the specifics of the case, the company’s values and the type of criminal group making the request, Minder said.
“You can make the argument either way,” Minder said Tuesday. “It’s critical to understand what happens when you send money.”
ShinyHunters, a hacker group that has targeted multinational companies for ransom, posted on its website on May 3 that it had stolen data from Instruct’s Canvas platform, which schools use for classwork, information sharing and messaging.
The hacking group claims to have student names, email addresses and messages related to nearly 9,000 schools. On May 5, the hacking group said in a message that it had not been contacted by Instruct and published a list of schools and districts where the group claimed their data had been stolen. Instruct said in a status message the next day that the situation had been resolved and the platform was fully operational.
On Thursday, students at multiple schools reported discovering ShinyHunters notes about the hack. Instruct took Canvas offline for several hours before bringing it back up.
Also on Monday, the House Homeland Security Committee sent a letter to Instruct CEO Steve Daly asking that he or another senior executive brief the committee on the multiple intrusions claimed by ShinyHunters, questions about the nature and amount of stolen data, the company’s response, and “the adequacy of the company’s coordination with federal law enforcement and CISA,” referring to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
A spokesman for Instruct did not immediately respond to a request for comment on the congressional briefing request or the nature of the agreement with ShinyHunters.
theme
network
interested in network?
Get automated alerts on this topic.
