The digital security debate in education systems has escalated as the creator of the widely used Canvas platform has agreed to terms with hackers post a significant cyberattack that affected numerous universities and colleges worldwide. Concerns are now emerging regarding the security of systems managing sensitive student data, such as exam records and answer sheets stored in cloud services like those within the Central Board of Secondary Education (CBSE) framework. The breach on Canvas has underscored the increasing vulnerability of extensive education infrastructure.
Instructure, based in the United States and the operator of Canvas LMS, has verified reaching an agreement with the hackers responsible for the cyberattack in April, impacting an estimated 9,000 institutions in the United States, Canada, Australia, and the United Kingdom. The breach resulted in widespread disruptions, including exam interruptions due to the Canvas platform outage. The attackers had allegedly accessed approximately 3.5 terabytes of student and institutional data and threatened to release it online unless a ransom was paid.
According to reports, Instructure mentioned that the hackers have declared the deletion of the stolen data and assured that no further extortion attempts would be made against customers under the agreement. While no financial transaction has been confirmed by the company, cybersecurity experts point out that such agreements typically involve ransom negotiations conducted through encrypted channels. Instructure stated that the agreement includes verifying the return of the data, digitally confirming its deletion, and ensuring that affected customers will not face additional targeting.
The breach, identified on April 29, was attributed to the Shiny Hunters extortion group, previously associated with various global cyber incidents. Notably, the data breach and service disruption affected Canvas LMS, a learning management system. Instructure disclosed that an investigation into a cybersecurity incident involving specific user data, such as names, email addresses, student ID numbers, and user messages, was ongoing. The company clarified that there was no evidence of unauthorized access to passwords, birth dates, government IDs, or financial details during the breach.
