Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The US House of Representatives is demanding testimony from representatives of Instructure, the twice-hacked company that owns the educational platform Canvas. Lawmakers are seeking answers to explain the company’s delayed response to cyberattacks that enabled bad actors to steal the personal information of millions of students and teachers across the country.
directions revealed this week It reached an agreement with the hacker group ShinyHunters, under which the hackers would destroy copies of user data and agree not to blackmail users. ShinyHunters first hacked the platform in April and again last week, allegedly targeting thousands of universities and school districts.
The House Homeland Security Committee said it was investigating the hack in cooperation with the Cybersecurity and Infrastructure Security Agency. CISA works with Instructure as one of the “external forensic experts” the company refers to in its report Frequently asked questions about the accidentThis helps “contain and investigate the activity and apply additional safeguards.”
Now House Committee Chairman Rep. Andrew Garbarino is examining whether Instructure’s coordination with CISA is sufficient in this case. In a message Sent to Instructure CEO Steve Daly, Garbarino, a New York Republican, demanded to know how the company was hacked more than once. The House committee also wants more specific information about the types of sensitive information stolen during the hack.
Instructure said the personal data stolen during the Canvas hack included “information such as usernames, email addresses, course names, registration information, and messages.”
The agreement with ShinyHunters called for the hackers to delete the data. “There is never complete certainty when dealing with cybercriminals,” Instructure said, but it received digital confirmation, in the form of shredded records, that the stolen data had been deleted.
Instructure warned affected Canvas users against individual attempts to contact or bargain with the ShinyHunters group, saying its agreement “covers all affected Instructure customers.”
Hacker group The first infiltrated fabric systems on April 29, using a vulnerability linked to Free-For-Teacher accounts. This allowed ShinyHunters to extract personal information associated with students and teachers.
While we do not know exactly how many institutions were affected The hackers claimed They targeted more than 9,000 universities and public school districts. Canvas is used in K-12 schools, so the hack could potentially expose sensitive information to underage students.
The situation escalated when hackers breached Instructure’s security for a second time on May 7. Leave a message Exposing their illegal activity to anyone trying to log in to Canvas. Instructure immediately moved Canvas into maintenance mode, during which students were unable to access the service.
If the name ShinyHunters sounds familiar, it’s because it’s a well-established group of ransomware hackers. ShinyHunters is the same team that hacked Anodot and escaped with some Rockstar Games business data In April.
that it Previous goals It consists largely of major technology companies such as Microsoft, Cisco and AT&T, but hackers have also ransomized information from insurance companies, credit unions and other institutions that handle sensitive data.
Canvas is currently operational, although Free-For-Teacher accounts have been temporarily disabled as Instructure continues to investigate the exploit used to breach its systems.
Instructure asked customers to continue monitoring their accounts, even though its third-party forensics partner “found no evidence that the threat actor currently has access to the platform.”
Instructure is organizing a webinar for its clients for “detailed information about the cyber attack and (Instructure’s) system hardening activities.” It’s currently unclear when this will happen, though the company’s incident update page suggests it will happen Scheduled for May 13.
When reached for comment, an Instructure representative pointed it out to CNET The official page of the company’s incident.
A similar data breach happened to PowerSchool in 2024. Despite paying the ransom, customers were still being blackmailed for more money.
Was the stolen data really destroyed? There is no way to be sure
Instructure has reached an agreement with the ShinyHunters hackers, defying the conventional wisdom of industry experts and FBI Cybercrime Division. Once information is available, paying the ransom does not guarantee that it will stop circulating among bad actors.
Worse still, the ransom payment offered by Instructure may motivate ShinyHunters or other ransomware hacker groups to hunt for more victims.
“It is a very disturbing example to see such a high-profile incident result in a payout, especially when the victim company acknowledges this way,” said Troy Hunt, founder and CEO of the company. Have you been Pwneda website that tracks password information exposed by data breaches. “Unfortunately, it has now become a very clear example of how crime pays off, and it sets the pattern for future criminals and victims alike.”
Hunt speculated that the decision was likely influenced by the scope and scale of the incident. This was a major data breach, and Instructure is under pressure from schools and parents, especially since they handle sensitive information related to underage children.
Watch this: What to do if your personal information is part of a data breach
But ultimately, there is no way to guarantee that stolen data has actually been destroyed – absolute certainty does not exist in ransomware crimes.
“There could always be another version,” Hunt said. “Instructure’s message about ‘shredding logs’ provides absolutely no evidence that all copies of the data have been deleted.”
Hunt noted A Similar ransomware attack on education company PowerSchool in December 2024. Although the company paid for a supposed video of hackers deleting stolen data, copies of sensitive information They were used later To blackmail teachers for extra money.
We can’t be sure if ShinyHunters will use stolen Instructure customer data in the same way, but there’s no guarantee they still don’t have sensitive data on millions of American students.
If you were affected by the recent Canvas hack, it may be time to consider the steps You can take it to protect yourself From cyber criminals who may have your personal information.