Instructure, the company behind the Canvas learning management system, recently announced that it had reached an agreement with the data theft group ShinyHunters, which had claimed to have stolen information related to approximately 275 million students, teachers, and staff. Instructure assured users that their private communications and email addresses would not appear on dark web marketplaces and that they would not be extorted over the incident.
According to Instructure, they received “digital confirmation of data destruction (shred logs)” and claimed that no customers would face extortion as a result of this breach. However, security professionals are expressing significant doubt about these assertions.
Expert Opinions on Data Deletion
Allan Liska, a threat intelligence analyst at Recorded Future, stated, “Do I believe they deleted the data? No. They’re criminals and scumbags.” He highlighted a phenomenon known as “The Ransomware Trust Paradox,” where ransomware groups must maintain a facade of data deletion to ensure future payments, despite the likelihood that the data remains intact.
Cynthia Kaiser from Halcyon Ransomware Research Center echoed these sentiments, emphasizing that the claim of data destruction is often a standard response from extortion groups after negotiations. She noted that ShinyHunters has a history of recycling and reselling stolen data, which raises further doubts about the validity of Instructure’s claims.
Future Threats and Phishing Risks
Kaiser also warned that the breach could lead to targeted phishing attacks against students, staff, and parents over the next six to twelve months, using the leaked information to craft convincing lures. This highlights the ongoing risks associated with the breach, even if the stolen data is not publicly released.
Negotiations and Ransom Payments
While Instructure executives have not explicitly stated that a ransom was paid, the phrase “reached an agreement” suggests that negotiations occurred, likely involving a financial settlement. Estimates for the ransom amount range between $5 million and $30 million. The decision to pay ransoms is a contentious issue, with many experts advising against it due to the potential for incentivizing further criminal activity.
Luke Connolly from Emsisoft noted that paying ransoms can lead to a cycle of repeated attacks, as evidenced by a survey indicating that 83% of organizations that paid ransoms were attacked again. Despite this, the pressure to protect sensitive data, especially in the education sector, often complicates the decision-making process.
Implications for the Education Sector
This incident is part of a troubling trend in the education sector, which has seen multiple high-profile breaches in recent years. The concentration of sensitive data within a few major vendors makes educational institutions particularly vulnerable to extortion. Experts predict that the economic incentives for attackers will continue to drive future attacks against educational platforms.
In summary, while Instructure claims that the stolen data has been deleted, skepticism remains among security analysts. The potential for future phishing attacks and the ongoing risks associated with the breach underscore the challenges faced by organizations in safeguarding sensitive information.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
