Synopsis
Instructure, the company behind the educational tool Canvas, has struck a deal with the hacking group ShinyHunters. This agreement secures stolen student and school data. ShinyHunters confirmed data deletion and no further targeting of Instructure customers for payment. The House Homeland Security Committee has also requested a briefing from Instructure regarding the intrusions.In a statement posted to its website May 11, the company said it "reached an agreement with the unauthorised actor involved with this incident." As part of the agreement, all data was returned to the company, the company received digital confirmation of data destruction, and the company was informed that "no Instructure customers will be extorted as a result of this incident, publicly or otherwise."
The agreement covers all impacted Instructure customers, the statement said, "and there is no need for individual customers to attempt to engage with the unauthorized actor."
A representative for ShinyHunters, the group the claimed responsibility for the breach, said in an online message to Reuters that the "data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us."
The representative declined to answer specific questions about the agreement.
Also on May 11, the House Homeland Security Committee sent a letter to Instructure CEO Steve Daly requesting he or another senior company executive brief the committee to address the multiple intrusions claimed by ShinyHunters, questions about the nature and amount of data stolen, what the company has done in response, and "the adequacy of the company's coordination with federal law enforcement and CISA," referring to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
An Instructure spokesperson did not immediately respond to a request for comment on the request for Congressional briefing or the nature of the agreement struck with ShinyHunters.
