-
Instructure paid a ransom to ShinyHunters after hackers breached the Canvas platform twice in two weeks, they stole data from approximately 9,000 customers and defacing the platform with an extortion message.
-
The House Homeland Security Committee launched an investigation into the incident – it demanded a briefing about both intrusions and the response of the company.
-
The FBI has acknowledged the disruption and has advised students against responding to direct contact from hackers.
Education technology company Instructure has paid a ransom to the cybercriminal group that breached its Canvas learning platform’s security. The hackers stole vast amounts of data from thousands of schools, they also defaced the platform with an extortion message just days before final exams.
The company confirmed the payment in a late Monday evening announcement. Instructure stated that its agreement with the ShinyHunters group included the return of stolen data and digital confirmation that the hackers destroyed all copies, so no Instructure customers would face individual extortion demands as a result of this incident.
Also, Instructure advised that customers should not attempt to communicate directly with the hackers. The company acknowledged that dealing with cybercriminals never offers complete certainty, but it believed taking this step would provide customers with additional peace of mind.
Hackers Struck Twice in Two Weeks, Disrupting Final Exams
The ShinyHunters group first breached the Canvas platform on May 1, stealing a large cache of information. They returned on May 7 to deface the platform with a visible ransom message demanding payment.
Thousands of universities and K-12 schools are using Canvas for sharing course content and communicating between teachers and students. Upon logging into the Canvas platform last week, students and professors received the threatening message from Shiny Hunters on their screens.
Instructure responded by temporarily shutting down the platform, which left millions of students without access to their class materials right before final exams.
ShinyHunters claimed to have hacked approximately 9,000 different customers of Instructure that use the Canvas platform. According to the hackers, they have all of the contact information for each of the students and their professors, including email addresses, names, student IDs, and private messages between students and professors. During the first week after the breach, the hackers demanded a ransom from each of the institutions and threatened to release all of the data by May 12.
The FBI later advised students not to respond to any communication from the hackers. According to an FBI official, just because a person received communication from the ShinyHunters did not mean they had had their information compromised.
Also, the FBI recommended that individuals wait to receive further guidance from the schools on what their next steps should be before taking action.
The University of Warsaw breach serves as another reminder that student and staff data remains a prime target. Our coverage of that incident details what information was exposed and how the university responded.
House Homeland Security Committee Demands Answers from Instructure
The decision to pay the ransom came just hours after the House Homeland Security Committee announced plans to investigate the cyberattack. Chairman Andrew Garbarino, a Republican from New York, sent a letter to Instructure’s CEO on Monday requesting a briefing on the incident before May 21.
The letter stated that the committee takes seriously both the harm to students and educational institutions caused by this incident and the broader implications for how the educational technology sector manages cybersecurity risks.
Garbarino requested that the briefing address the circumstances of both intrusions, including the nature and volume of accessed data, the steps Instructure has taken to control the threat and inform the impacted institutions, and the competency and compliance of the company with the CISA and federal law enforcement.
Garbarino noted that Instructure initially claimed the incident was contained on May 2 before the second intrusion occurred. He indicated that the gap existing between Instructure’s public description of the incident and the scale via the attacker’s own claims demands a full, comprehensive, and transparent accounting.
The recurrence of another breach after a few days of disclosing the initial attack raises serious questions about the company’s incident response capabilities, Garbarino added.
He noted that the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion represents exactly the kind of systemic vulnerability the committee has a responsibility to examine.
Instructure Hires Forensic Investigators as ShinyHunters Site Goes Dark
Instructure CEO Steve Daly published a separate letter to customers over the weekend apologizing for the incident. He reaffirmed that Canvas remains safe to use – and the company has hired CrowdStrike and another cybersecurity firm to conduct a forensic analysis and harden the environment.
The FBI confirmed it is aware of the disruption. On Monday, the ShinyHunters leak site went offline, so several cybersecurity experts suggested the FBI may have taken action against the group.
The attack on Instructure caps months of similar incidents involving ShinyHunters. The group previously breached major companies, including Ticketmaster and AT&T. More recent attacks have targeted the education sector, including educational publisher McGraw-Hill. Garbarino noted these past incidents in his letter to Instructure’s CEO.
If a university or a school received no contact from Instructure to date regarding this incident, then it was not affected by this incident. The FBI is still investigating this incident through cooperation with other federally sponsored law enforcement agencies.
