Instructure Pays Canvas Hackers To Delete Students' Stolen Data

Instructure, the company behind the widely used Canvas learning platform, says it reached an agreement with the hackers who stole 3.5 terabytes of student and university data. The company says it received "digital confirmation" that the information was destroyed and that affected schools and students would not be extorted. The BBC reports: Paying cyber criminals goes against the advice of law enforcement agencies around the world, as it can fuel further attacks and offers no guarantee the data has been deleted. In previous cases, criminals have accepted ransom payments but lied about destroying stolen data, instead keeping it for resale. For example, when the notorious LockBit ransomware group was hacked by the National Crime Agency, police found stolen data had not been deleted even after payments had been made.

Instructure said in a statement on its website that protecting students' and education staff data was its primary motivation. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said. Instructure did not set out the terms of the agreement but said that it meant that:
- the data was returned to the company
- it received "digital confirmation of data destruction"
- it had been informed that no Instructure customers would be extorted as a result of the incident
- the agreement covers all affected customers, with no need for individuals to engage with the hackers

Bad move

[Locke2005]

Personally, I subscribe to the 'Shoot the hostage" school of negotiating with criminals.

Re:

[Anonymous Coward]

I rather liked RoboCop's "shoot 'em in the balls" negotiation tactic.

Re:

[Locke2005]

Sure, but you can only do that twice before it becomes ineffective...

Re:

[TwistedGreen]

Pop quiz, hotshot... oh shit, Canvas leaked all the quiz answers. Nevermind.

Re:

[AmiMoJo]

They can't win. If they don't pay they get sued by students for not securing their data. If they do pay they encourage further attacks.

The time to win was before the hack. Now all they can do is pay, and hope they picked the cheaper option.

Re:

[Anonymous Coward]

theyre getting sued either way dum dum.

Re:

[mjwx]

Personally, I subscribe to the 'Shoot the hostage" school of negotiating with criminals.

In this scenario, the hostage is the company who's data was stolen... the data is the gun being held to their head and the victims are the people identifiable by the data.

Your negotiation strategy would kill both the hostage and irreparably harm the victims.

A better strategy is to ensure that your dangerous gun is kept secure and away from children. Prevention is always better than cure.

Finally! A use case for cryptocurrency!

[shanen]

Pretty sure you were going for Funny, but it's too dark and there are too many hostages in this situation.

However I do think it's hilarious for them to believe the blackmailers didn't keep a backup copy. Also funny that they are involved in education and don't seem to understand the lesson to be learned here.

Need some kind of anti-funny mod for the responses of the various police authorities, though in a sense it's hard to blame them. We are in a time of perfect crime. There should be a joke in here about "

SUCKERS

[JustAnotherOldGuy]

Sure they deleted it. Now, how long before the 'deleted data' starts showing up elsewhere? Any guesses?

Re:SUCKERS

[pegr]

But they have digital confirmation!

Re:SUCKERS

[Fly Swatter]

I hope it is in the form of an NFT, they shouldn't trust anything else.

Re:

[SchroedingersCat]

Here is a copy of digital confirmation:

# rm -rf /student_data/
#

Re:

[JustAnotherOldGuy]

Maybe they put all the data on a couple of floppies and made a video burning them.

Re:

[suso]

And what about the computer that was used to write to the floppies?

Re:

[Anonymous Coward]

if your business is drugs it's a pretty shitty business plan to just welch deals on the silk road, burning your reputation is short-term gains and stupid

the breacher trade isn't quite the same as pushing a product, but it's still true that welching for short-term gains would be stupid

that said, there's no rule guaranteeing everyone in the scene is smart enough to preserve their cred, or they might think the identity is no longer needed and they can safely burn it. i imagine pissing off your peers is probabl

Re:

[igreaterthanu]

The breacher trade is even more like this simply because there is no other recourse. Reputation is everything.

Re:

[JustAnotherOldGuy]

If paying them didn't guarantee deletion, guess how many people will pay them in the future?

All of them. All of them will, just like Canvas did.

1) How do you 'guarantee' the actual deletion of something you have no control over?

2) The fact is that these groups don't give a shit about their reputation and it's foolish to think they do.

Again, how long before this data starts showing up in other places? A month? 3 months?

Re:

[almitydave]

you pay for things every day without 'guarantees'

Not as much as you might think - consumer protection laws and contract terms act as a form of guarantee for many transactions even if you don't realize it. And even then, companies frequently flout the law and screw their customers, even when we know who runs the company and where its headquarters are located. Taking the crooks' word for it is foolishness.

The "promise" of organized crime is not worth anything, especially in scenarios like this where a viable business strategy is:
1. launch ransomware compa

Re:

[alvinrod]

Do you know any of the people in this group? Of course not so you can't know if they leak the data anyway and change names to a new group. Reputation cannot exist with anonymity and in this field there's a very strong incentive to remain anonymous. At best they ruin it for anyone else in the same business as they are, but they're also financially incentivized to find a black market buyer for all of the data they supposedly deleted.

Re:

[JustAnotherOldGuy]

... but they're also financially incentivized to find a black market buyer for all of the data they supposedly deleted.

Even you admit that it's likely that the data will be sold or resurfaced later. Let's be frank: the idea they wouldn't sell all or part of it or sell access to it seems awfully naive.

Re:

[Gilgaron]

I agree with the sentiment but when the encryption viruses were the hot new thing my understanding was that they were actually pretty professional about selling the decryption key to incentivize people to just pay up instead of figuring out how to restore everything. Since these are organized criminals these days they run it like a business. A script kiddie might leak it for lulz but some Russian gang wants to be sure that they get paid by the next company they hack, so they want them to get what they pai

Hahaha

[liqu1d]

I have deleted the data but you didn't pay to delete the backup

Re:

[93 Escort Wagon]

"Yes, you did pay to delete the backup... but not the redundant copy."

Re:

[Monoman]

3-2-1 rule comes into play. LOL

Re:

[fahrbot-bot]

I have deleted the data but you didn't pay to delete the backup

One has to be very specific when making deals with goblins.

Pinkie-Swearman Key Exchange

[Pseudonymous Powers]

'The company says it received "digital confirmation" that the information was destroyed and that affected schools and students would not be extorted. The BBC reports.'

For a company that makes education software, they sure must think their customers and users are pretty stupid.

Re:Pinkie-Swearman Key Exchange

[93 Escort Wagon]

Well, odds are the people in charge at Instructure are relatively stupid themselves. It's like the old Sherlock Holmes quote: "Mediocrity knows nothing higher than itself" - the Instructure leadership probably can't fathom how anyone smarter than them could exist.

Given how people keep stupidly paying these ransoms... maybe it's time to criminalize that act.

Re: Pinkie-Swearman Key Exchange

[drinkypoo]

If they weren't they wouldn't buy their shit, so they KNOW they're stupid

Re: Pinkie-Swearman Key Exchange

[drinkypoo]

How do you feel about Iran's terrorist demands?

I feel like they are asking for the sun. Are you new to negotiations?

I also feel like all of this could have been avoided by just not doing what we've been doing. For decades.

Re:

[drinkypoo]

So the thing you claim they don't want, nukes. Isn't even in the list of unrealistic things they'd give up in a "negotiation".

This is one of those times when the handclaps between ever word are actually warranted, not to try to wake you up which is impossible, but just for fun. WE *clap* HAD *clap* A *clap* NUCLEAR *clap* DEAL *clap* BEFORE *clap* CHEETO *clap* BENITO *clap* BURNED *clap* IT *clap* DOWN.

Re:

[oldgraybeard]

Users get a pass! Functionality and security were not the drivers in the selection process. Users are trapped because the school administrators and school boards chose the educational product they received the biggest kick backs on.

Re: Pinkie-Swearman Key Exchange

[machineghost]

I doubt the Canvas people are bribing educators and education administrators.

The truth is likely far more banal: Canvas is one of those "crappy but checks the boxes" products, like Jira or Slack. In other words, it's a "no one ever got fired for buying IBM" kind of product.

Re:

[geekmux]

For a company that makes education management software, people sure do assume they give a shit how stupid their customers turn out to be.

FTFY.

Re:

[dwywit]

I think it's in the hackers' best interests to be honest about this.

If they aren't, and release the data publicly or sell it, or release it in any form after promising to delete it, it tells the world that they can't be trusted, and future ransom demands with promises to delete the data won't be worth the electrons carrying said promises.

They've proved themselves clever enough to crack the security on a relatively secure and trusted platform. They will be looking for the next platform to crack as we speak.

next, they'll raise prices to cover the expense

[david.emery]

I repeat my call for legal liability for companies that sell products or services with errors, including security vulnerabilities.

Re:

[david.emery]

Security liability should apply across the supply chain. But if you're ok with blaming God for mistakes made by incompetent developers, that's I guess your religious freedom at work...

Re:

[A nonymous Coward]

"Act of God" is a legal term of art. You should be blaming lawyers and governments.

So complex there are no obvious problems...

[robbak]

... Or so simple there are obviously no problems. It seems we have lost the ability to do the latter.

I mean, a computers Bios should be an exceedingly simple thing, with only enough smarts to initialise storage, copy bytes into ram, check that those bytes are properly signed and then pass execution to them. Instead it is a full environment that never gets patched. This means that no one can build a secure system, because it's built on series cheese.

PEBKAC

[geekmux]

I repeat my call for legal liability for companies that sell products or services with errors, including security vulnerabilities.

Sure. Right after we start the mandatory IT competency test for every new employee that validates the problem isn’t still manifesting in the form of the iPad Generation of touchscreen mouth-breathers who thoroughly enjoy defending their uncensored right to click on every-fucking-thing shoved in front of their face no matter how senseless it is.

No software vulnerability has managed to defeat THE security vulnerability in the workplace. Not one.

This is Bad

[battingly]

This all but guarantees an increase in ransomware attacks. There won't be any increase in defense against these kinds of attacks because it's easier and cheaper to pay the ransom. The losers here will be the users because of all the downtime and there will inevitably be leaks anyway.

Paying the ransom is reprehensible since it will cause so much pain for other people in the future, and should be illegal.

Re: This is Bad

[reanjr]

There's pretty much only two other places on Earth where similar situations exist (territorial waters closing off an international body of water and controlled by states not dedicated to free trade). The first is the Red Sea, which is contained by Suez and Bab al-Mandab. The other is Indonesia at Malacca. Malacca is super easy to work around, and the Red Sea has two exits and much of it's critical exports can use the Persian Gulf, so it would require far more coordination.

Re:

[jezwel]

Which is the exact reason nobody should allow Iran to steal the Strait of Hormuz.

I didn't think there was this problem with the SoH a few months back - was Iran trying to claim it last year?

Re:

[Anonymous Coward]

will you shut the fuck up already? people are trying to have a conversation about the Canvas hack.

you insufferable fucking cunt.

Re:

[BlueKitties]

I think there's a deeper story here.

I ended up teaching at two colleges I previously attended. In both cases when I was granted Canvas access I came across everything from my previous enrollment, years later. I was able to find the very first messages and activities I submitted in Canvas my first week of college. Instructor hordes data it really should just delete. Consequently, I suspect Instructor paid the ransom because they know the breach exposed data of not just current students and faculty, but all p

They should be shut down corporate charter revoked

[Fly Swatter]

Paying just makes them look bad twice, the first time was losing the data.. Now they just supported ransomware attacks to increase.

They will be sued by the next victims

[davidwr]

The next major ransomware victims will sue Instructure for encouraging ransomware attacks.

Sounds good!

[cascadingstylesheet]

I mean, if you can't trust criminals, who can you trust?!?

Re:

[CommunityMember]

I mean, if you can't trust criminals, who can you trust?!?

Well, the Mob did dispose of the bodies (they never found Hoffa's remains), and did have a code of honor to follow through on their commitments.

The term "honor" has always been somewhat flexible in interpretation in criminal organizations.

The current miscreants appear to live by a different code than the reported approach used by the mob (and their families).

Paying for something that cannot be confirmed

[OrangeTide]

"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

— Rudyard Kipling (1865-1936), Dane-geld, Stanzas 5-6

There is a good reason that law "law enforcement agencies around the world" advise again paying cyber criminals. And it isn't because law enforcement is dumb, or that they like seeing you getting your data stolen.

Nothing like making crime pay!

[oldgraybeard]

Guaranteeing more cyber crime when crime pays really well! Next time they will need to pay more. And everyone knows the data has already been sold.

"confirmation"

[daninaustin]

No wonder they got hacked, if they think they can get confirmation that it was deleted. It's not a serious company.

Re:"confirmation"

[TwistedGreen]

But they sent a video of someone in a mask drilling out a hard drive!

Re: "confirmation"

[madbrain]

NIST 800-88 compliant. What could possibly go wrong ?

What idiots

[felixrising]

Honestly, what idiots to fall for the scam. I know my data is in there somewhere, but I have no doubt by paying the ransom, they've only perpetuated the business model further. There is no honour amongst thieves.

It's Over

[DewDude]

They should just start the process of shutting down.

They're going to get hit again...they're a mark.
They're contributing to the problem...proving they've found an area they can get results.
The trust is gone.

The fact they believe anything the criminals say is pretty stupid. That right there is enough proof that they didn't handle it properly.

There's no honor among thieves. They didn't delete it. They will use it later.

This will only continue to get worse as morons cave.

Of course they did the wrong thing

[paul_engr]

neverrrrrrr pay

Delete data.

[gary s]

Trust them I am sure they are outstanding people and will delete the data like they said

You can totally trust criminals

[FictionPimp]

- it received "digital confirmation of data destruction"
- it had been informed that no Instructure customers would be extorted as a result of the incident
- the agreement covers all affected customers, with no need for individuals to engage with the hackers

I'm 100% sure criminals would never lie. It's bad for business. I'm also 100% sure they didn't create any additional means for future compromise.

Sponsoring terrorism

[CEC-P]

In some countries, it's illegal to pay ransoms. Those countries don't get ransomware attacked because there's zero chance of getting a single dollar. Also, the funds go to support terrorists, drug dealers, or criminal rackets in almost all cases. That alone is already illegal. Just pass a US law saying paying ransoms is illegal!

Re:

[tmh - The Mad Hacker]

Even if it's not illegal, *if* it can be fairly clearly demonstrated (not just argued, no matter how logical or obvious) that it has an emboldening effect on the criminals that hurts other companies, even those that aren't later hit themselves, because of increased cost in hardening their systems, a good class action should be able to sue them out of existence, help fund said hardening, and discourage others from paying.

Idiots

[bradley13]

Paying ransom ought to be criminal. Moreover, they have zero guarantee that the data is really gone, no copies anywhere.

Re:

[FluxCap]

Agree! It should be illegal for a company to pay a ransom as it just incentivizes more attacks on other companies. If the company doesn't comply with these laws, then the people (CEO, officers, IT, accountant, etc.) responsible at the company should be subject to jail. Fines are not sufficient since it just the companies money that is being lost. Companies paying millions of dollars to a contractor to "solve" the problem (by paying the ransom) must also be illegal. Companies should also be required to repor

Tax in ransoms

[reanjr]

There should be a 100% excise tax on paid ransoms to fund state cyber security. And a five year prison sentence for not reporting on top of the tax fraud.