Canvas Cyberattack: Instructure Pays ShinyHunters Ransom, US House Committee Asks for Investigation
Published
Key Takeaways
- Ransom paid: Instructure compensated the ShinyHunters cybercriminal group following the Canvas data theft.
- Data compromised: Hackers claimed to steal records from 9,000 customers, threatening a data leak.
- Congressional probe: Representative Andrew Garbarino requested a formal security briefing before May 21.
Instructure paid a ransom to the ShinyHunters cybercriminal group after sensitive data was stolen from the Canvas platform. The education technology firm confirmed the agreement involved the stolen data being returned alongside digital confirmation of data destruction. Yet, the U.S. House Committee officially invited the company CEO to a briefing.
Operational Disruption and Extortion Threats
Because thousands of universities and K-12 schools use Canvas, Instructure temporarily shut the platform down to contain the ongoing threat. ShinyHunters claimed it successfully stole data from 9,000 Instructure customers.
This compromised dataset included names, email addresses, student IDs, and messages exchanged between students and professors. The organization stated that no Instructure customers would be extorted as a result of the incident.
The ShinyHunters group breached the Canvas architecture twice over a two-week period, first stealing information on May 1 and subsequently defacing the platform with a ransom message on May 7, which threatened with alleged unauthorized data leaks on May 12.
The FBI issued a formal warning instructing students not to respond to direct payment demands from the hackers. Yet, an FBI spokesperson said receiving such messages “does not necessarily mean your personal information has been compromised.”
Incident Forensics and Congressional Investigation
In response to the data breach and the disruption of educational infrastructure, the House Homeland Security Committee announced a formal investigation. Representative Andrew Garbarino sent a letter requesting a comprehensive security briefing by May 21 to examine the network intrusion.
The U.S. House Committee Chairman Andrew Garbarino invited Instructure CEO Steve Daly in a letter to “address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and CISA.”
Concurrently, Daly apologized to customers and confirmed the enterprise retained CrowdStrike and another cybersecurity firm to conduct forensic analysis and execute environment hardening protocols.
This month, the threat actor targeted Woflow and Vimeo Accounts.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular