Canvas hackers reach deal with Instructure
Education tech firm Instructure confirmed a deal with hackers after a Canvas platform breach exposed data of up to 275 million students across 9,000 institutions, though it did not confirm ransom payment or data destruction verification. The incident, linked to ShinyHunters, caused operational disruptions, including locked-out students and rescheduled exams, raising concerns about vendor liability and regulatory fallout.
Instructure, the US-based company behind the Canvas learning platform, announced on Tuesday it had reached an agreement with the hackers responsible for a data breach affecting up to 275 million students across around 9,000 institutions worldwide. The company stated it received ‘digital confirmation of data destruction’ from the unauthorized actors, though cybersecurity experts emphasized the lack of independent verification for the claim. Instructure did not confirm whether a ransom was paid or identify the hacking group involved, though ShinyHunters claimed responsibility according to Emsisoft threat analyst Luke Connolly. The breach was detected in two phases: the first unauthorized access occurred on April 29, when Instructure revoked access, launched an investigation, and engaged forensic experts. A second wave of activity was identified on May 7, linked to the same incident. The exposed data included usernames, email addresses, student ID numbers, and institutional communications. ShinyHunters reportedly threatened to leak a 3.65 TB dataset unless negotiations concluded by May 12. The incident triggered widespread operational disruptions, locking students and faculty out of the platform used for coursework, grades, and exam preparation. Universities rescheduled final exams and implemented contingency plans, highlighting the risks of third-party software dependence. Cyber insurers noted the potential for claims related to incident response, business interruption, privacy liability, and regulatory defense, with concerns over whether payment ensured data was not resold. Regulatory scrutiny and potential class-action lawsuits loom due to the exposure of personally identifiable information. Educational institutions may also face questions about vendor due diligence and contractual obligations to protect student data. Cyber insurers covering schools and universities will monitor costs for notifications, credit monitoring, legal defense, and settlements, while some may seek recovery under contingent business interruption clauses if their operations were disrupted by the third-party vendor incident.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.