Instructure, the company behind the Canvas learning management system, said Monday it reached an agreement with hackers to recover recently stolen data.
Instructure said it convinced the “unauthorized actor” behind the cyberattacks to return the data, adding the hackers confirmed they destroyed any data left on their end. The company did not name the party responsible or specify the terms of the agreement.
“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible. We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved,” Instructure said in a statement.
ShinyHunters, the group claiming responsibility for the cyberattack, said it acquired the data of 275 million people, according to TechCrunch. The hackers told the outlet that “the data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.”
Instructure was the target of two cyberattacks. The first involved unauthorized activity on April 29, when course names, email addresses, enrollment information, messages and usernames were stolen, Instructure said on its website.
On Thursday, ShinyHunters got back into Canvas and “made changes to the pages that appeared when some students and teachers were logged in through Canvas,” Instructure explained on its website.
Instructure said the Canvas system’s “Free-For-Teacher” accounts are temporarily shut down as a result of the cyberattack.
Some experts believe Instructure erred in reaching the agreement to recover the data.
Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, said Tuesday, “Paying a ransom in a case like this can create a dangerous feedback loop where attackers are effectively rewarded for successful breaches. Even if organizations believe they are ‘resolving’ the immediate crisis, it reinforces the economic incentive structure behind cyber extortion.”
The FBI’s Cyber Division, also addressing the incident, wrote on X that “if you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands.”
