The company at the centre of a cyber attack involving the details of millions of students globally this month says it has “reached an agreement” with the hackers.
Almost 9,000 schools, universities and other educational institutions were targeted in the Canvas data breach conducted by the cybercriminal group ShinyHunters.
About 9,000 schools and educational institutions were caught up in the hack. (ABC News)
It involved the theft of large amounts of data, including student ID numbers, email addresses, enrolment information and messages on the learning platform.
Instructure, the US company that developed Canvas, has published an update to its website indicating that it has negotiated for the information not to be leaked.
“We understand how unsettling situations like this can be, and protecting our community remains our top priority,” the update said.
“With that responsibility in mind, Instructure reached an agreement with the unauthorised actor involved in this incident.“
The company said, as part of that agreement, the data had been returned along with digital confirmation of it being destroyed by the hackers.
Instructure says all data accessed has been returned by the hackers and that no customers will be extorted as a result. (Unsplash: Mika Baumeister)
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company said.
“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible.“
Instructure said the agreement covered all impacted institutions and that there was no need for any individual school or university to attempt to engage with the hackers.
Last week, students and teachers who logged in to Canvas were greeted with a warning that the information would be leaked unless institutions negotiated a settlement with ShinyHunters by the end of May 12.
Canvas is a digital hub used by schools and universities for submitting assignments, taking exams, checking grades and communication between teachers and students.
The platform is used by a large number of schools, universities and other educational institutions across Australia, the United States and Canada.
Canvas boss apologises for breach
Instructure chief executive Steve Daly has also published a message on the company’s website, apologising for the breach and communication issues.
“Over the past few days many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom,” Mr Daly said.
“You deserved more consistent communication from us and we didn’t deliver it. I’m sorry for that.“
Public information about the hack last week was largely limited to updates on Instructure’s status page and information from the hacking group itself.
Mr Daly said the company had decided to “get the facts right” before speaking publicly and that it had “got the balance wrong”.
He said the data breach was the result of a vulnerability regarding support tickets in the service’s Free for Teacher accounts, which was exploited.
These accounts have been temporarily disabled while Instructure completes a cybersecurity review.
Mr Daly said core learning data, including course content, submissions and credentials, had not been compromised.
Warning over ‘highly personalised’ scam emails
Before the agreement with the hackers was announced, cybersecurity experts had warned that the data breach would lead to “highly personalised” scam emails.
Lively chief executive Stacey Edmonds said the information of students and teachers was likely to be sold on the dark web to people looking to conduct scams.
She said the details from the Canvas hack would have been combined with information from other data breaches to flesh out “profiles” on the affected people.
“Armed with that profile, they can now send you highly-personalised phishing emails, texts, phone calls, that reference real details about your life,” Ms Edmonds said.
“Their ultimate goal is then to either steal more credentials, get you to transfer money, or install malware on your device.“
Ms Edmonds believes there will still be a wave of phishing and scam attempts looking to take advantage of the situation, despite the agreement between the hackers and Instructure.
Cyber safety expert Stacey Edmonds says stolen information can be used to target people with highly personalised phishing emails, texts and phone calls. (ABC News: Richard Malone)
Leak a ‘significant failure’
Alastair MacGibbon, the former head of the Australian Cyber Security Centre, said the Canvas incident was a classic example of the tactics used by “hack and leak” syndicates.
“On the one hand, this is not the most significant data stolen. It’s not medical data. It’s not financial information,” Mr MacGibbon said.
“But it is very useful information, for a criminal to then be able to essentially do targeted criminal communications with millions of people.”
Alastair Macgibbon says the data breach should serve as a reminder for organisations to improve their defences against cyber crime. (ABC News: Matt Roberts)
He said the data breach should serve as a reminder for organisations to improve their defences against cybercrime.
“People, processes and technologies need to be strengthened because these hacks are dangerous, they’re frustrating,” Mr MacGibbon said.
“The only people that benefit are criminals and it’s incumbent upon all service providers to get better at doing their job.
“In this case, millions of people get impacted in what can only be classified as a significant failure.“
A spokesperson from the National Anti-Scam Centre said Australians should not respond to any unsolicited contact in relation to the Canvas incident.
