Canvas “reached agreement” with hackers

“A massive global education data breach has taken a dramatic turn after the company behind the Canvas learning platform has confirmed it struck a deal with the hackers responsible. Instructure, which owns the widely used online education system, revealed early Wednesday it had “reached an agreement with the unauthorised actor” who stole vast quantities of student and staff information from thousands of schools and universities worldwide. The cyberattack disrupted Canvas during the final weeks of first semester and resulted in the theft of about 3.65 terabytes of data from 8809 educational institutions, including at least 122 across Australia. A number of universities, TAFES, and public and private schools were affected by the breach. In a statement, the company stopped short of confirming whether a ransom was paid but indicated the stolen information had been returned alongside digital proof the hackers had destroyed any remaining copies. Instructure chief executive Steve Daly apologised for the disruption caused by the breach. “We understand how unsettling situations like this can be, and protecting our community remains our top priority,” Mr Daly said. “With that responsibility in mind, Instructure reached an agreement with the unauthorised actor involved in this incident.” The company acknowledged there is “never complete certainty” when dealing with cybercriminals, but said it was necessary to “take every step within our control” to give customers additional peace of mind. The hackers accessed student ID numbers, names, email addresses and private Canvas messages and threatened to release the data publicly unless institutions paid. Instructure maintained that passwords, dates of birth, financial details and government identifiers were not taken. The attack became apparent last week, with many affected organisations restoring access before the agreement was finalised. Cybersecurity consultant Luke Irwin, from Aegis Cybersecurity, told The Sydney Morning Herald (SMH) the hacking group ShinyHunters had demanded about $US10 million, suggesting any payment would likely land “in the high single-digit millions”. Former national cyber security adviser Alastair MacGibbon told SMH the company’s wording strongly suggested a ransom had been paid and required clearer explanation. “Reaching an agreement, I would suggest, is code for paid,” Mr MacGibbon said. “I’m not against paying in certain circumstances. If someone has locked up a hospital system or a power company, or something that will have catastrophic consequences for human lives or for the survival of an economy, then payment has to always be a potential option. But in this type of circumstance, most people would question how an organisation would think that was justifiable.” The breach has also sparked legal action in the United States, with at least 18 lawsuits filed against the company since the incident. The incident is believed to be the largest education-sector data breach on record and has renewed concerns about the reliance on overseas technology providers storing sensitive information belonging to millions of students.

Summary generated from the RSS feed of Education Review AU. All article rights belong to the original publisher. Click through to read the full piece on www.educationreview.com.au.