Canvas' parent company reaches agreement with hacking group behind breach

Instructure, the company behind the Canvas educational platform, announced it has reached an agreement with the hacking group ShinyHunters to resolve the recent data breach. The company confirmed in a statement that all stolen data was returned, digitally verified as destroyed, and that no customers would face extortion. The agreement covers all affected Instructure customers, eliminating the need for individual negotiations. ShinyHunters, which claimed responsibility for the breach, stated in a message to Reuters that the data has been deleted and no further targeting or extortion attempts will occur. The group previously claimed to have stolen data from nearly 9,000 schools, including student names, email addresses, and messages. Instructure had previously taken Canvas offline for several hours before restoring it following the breach. The U.S. House Homeland Security Committee sent a letter to Instructure CEO Steve Daly, requesting a briefing on the multiple intrusions, the nature and scope of the stolen data, and the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA). The letter also questioned the adequacy of Instructure’s response to the breach. ShinyHunters had initially posted a list of affected schools and districts on May 5, claiming Instructure had not engaged with them. The hacking group had previously targeted global companies for extortion, with a history of threatening data leaks unless ransoms were paid. Instructure’s spokesperson did not immediately respond to requests for further comment on the congressional briefing or the details of the agreement. The breach occurred in early May, with students at multiple schools reporting notes from ShinyHunters regarding the hack. The incident has raised concerns about data security in educational institutions and the effectiveness of breach response strategies.