Instructure pays ransom after Canvas incident as Congress announces investigation

Education technology firm Instructure paid a ransom to hackers who stole troves of information from a platform used by thousands of schools. 

Late on Monday evening, the company published a note confirming their decision to pay the ShinyHunters cybercriminal group. The company said its agreement with the hackers involved their data being “returned” to them and digital confirmation of data destruction.

“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company said. 

“This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor. While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible.”

The ShinyHunters cybercriminal group breached the company’s Canvas platform twice over the last two weeks, initially stealing troves of information on May 1 before defacing the platform with a ransom message on May 7. 

Thousands of universities and K-12 schools use Canvas to share course materials and communicate with teachers. But when students and professors logged in last week, they saw a threatening message from ShinyHunters. Instructure temporarily shut the platform down, leaving millions of students with no way to access class materials ahead of final exams. 

ShinyHunters claimed it stole information from 9,000 Instructure customers, including names, email addresses, student IDs and messages between students and professors. They demanded ransoms from each school and threatened to leak the information on May 12. 

The decision to pay the ransom came hours after the House Homeland Security Committee said it plans to investigate the cyberattack. 

Rep. Andrew Garbarino (R-NY), chairman of the committee, sent a letter on Monday to the CEO of Instructure requesting a briefing on the cyberattack before May 21. 

“The Committee takes seriously both the harm to students and educational institutions caused by this incident and the broader implications for how the educational technology sector manages and discloses cybersecurity risks,” he wrote.

Garbarino said the briefing with Instructure should “address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and CISA.”

Garbarino added that Instructure initially claimed the incident was contained on May 2 before the second incident took place. He wrote that the “gap between Instructure’s public characterization of this event and the scale suggested by the attacker’s own claims warrants a full and transparent accounting.”

“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” Garbarino said.

“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”

Garbarino’s letter was first reported by Politico. Instructure did not respond to requests for comment on the letter.

Instructure CEO Steve Daly published his own letter to customers this weekend apologizing for the incident and reaffirming that Canvas is currently safe to use. He said Crowdstrike and another cyber firm have been hired to conduct a forensic analysis of the incident and harden their environment. 

Any university or school that has not already been contacted by Instructure was not impacted by the cyberattack. 

The FBI told Recorded Future News that it is aware of the disruption and warned students not to respond to contact from the hackers asking for direct payment.

An FBI spokesperson said receiving messages from ShinyHunters “does not necessarily mean your personal information has been compromised.” 

“We understand that the immediate concern for individuals/students is determining what, if any, of their data or other sensitive information may have been exposed,” the agency said. “At this time, the strongly recommended course is to await formal guidance from your educational institution regarding the scope of the incident and the nature of any affected data.”

On Monday, the ShinyHunters leak site was taken offline and several cybersecurity experts pointed to potential FBI action targeting the group.

The attack on Instructure capped months of attacks by ShinyHunters on several high-profile companies, including several in the education sector. 

Garbarino noted in his letter that the group was behind past breaches at Ticketmaster and AT&T as well as more recent incidents involving educational publisher McGraw Hill and othercompanies.