Aussie schools breach: Instructure boss “reaches agreement” with ShinyHunters to not release data

But while the hackers continued to apply pressure on Instructure and the many schools caught up in the breach, those schools themselves have been asking questions of the company’s response.

Now, the Instructure CEO, Steve Daly, has said he is aware of customer concerns and said his company has reached a compromise with the hackers.

“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority,” Daly said in a May 11 statement.

“With that responsibility in mind, Instructure reached an agreement with the unauthorised actor involved in this incident.”

To that end, Daly said all stolen data had been returned, and the hackers have confirmed that the stolen data has effectively been “shredded” on their end.

“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” Daly said.

VIEW ALL

“This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorised actor.”

Daly did not mention if a ransom had been paid to ShinyHunters, but added that “complete certainty” in such dealings is impossible. He believes, however, that it was essential to “take every step within our control to give customers additional peace of mind, to the extent possible”.

“We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved,” Daly said.

“We will continue to provide updates as that work progresses.”

Mea culpa

At the same time, Daly also delivered an apology to Instructure customers over their communications protocols during the incident while outlining some further details of how its systems were compromised.

“I'll start where I should: with an apology,” Daly said.

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that.”

Daly said that Instructure has ascertained that data such as “usernames, email addresses, course names, enrollment information and messages” were impacted by ShinyHunters’ intrusion, but “core learning” data, such as submissions and credentials, remained secure.

“We also identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited. We temporarily disabled Free for Teacher while we complete a full security review,” Daly said.

“We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.”

Daly admitted, however, that while the company’s first instinct was to ascertain the facts of the case before speaking publicly, the balance of reporting was.

“We focused on fact-finding and went quiet when you needed consistent updates. You've been clear about that, and it's fair feedback. We will change that moving forward,” Daly said.

To that end, Daly has committed to launching a dedicated Incident Update page on its website and to releasing further updates within 48 hours, and eventually a summary of the forensic report on the incident.

“Rebuilding trust takes time,” Daly said.

“We're going to earn it back through consistent action and honest communication. We're in this for you and your community.”

What should schools and students do now?

According to ESET's Chief Security Evangelist, Tony Anscombe, the one thing to watch out for is being targeted by scammers and phishing campaigns.

“If, as reported, the breached data is limited to names, email and school location, the most likely immediate use of the data by cyber criminals will be to create a phishing campaign with a call to action to gather more data from the victims,” Anscombe told Cyber Daily.

“The emails could take the form of a breach notification, request to change password, or to register for identity protection services, all of which, if real, would require additional personal details making the malicious email request contextual.

“A basic rule is do not respond directly to any link in email regarding this topic, go to the university website directly and follow official guidance offered.”

Basic cyber hygiene actions, such as changing passwords, are also recommended.

“Early reports suggest that only minimal data has been compromised, however, as with many data breaches as investigations continue, it may become apparent that additional data has been exfiltrated and it may include more personal data such as date of birth, and possibly even passwords,” Anscombe said.

“As a precaution I recommend that if students or staff have used the same password, or similar, on multiple sites they immediately take action and change the passwords and where possible activate multi-factor authentication.”

As to what schools and other educational institutions can do, the situation requires a more technical – but nonetheless essential – approach.

“Universities and school should follow a recognised cyber security framework to ensure the highest level of security posture is achieved. This will include technologies such as endpoint detection and response, multi-factor authentication, identity access management, vulnerability and patch management and such like,” Anscombe said.

“Third-party data breaches such as this one are, unfortunately, a reality. Universities and schools need to ensure that any provider they contract with that may either have access to school systems or provide student and staff services follow the same strict cybersecurity practices and policies that are in place internally.”