Teaching software company strikes a deal with hackers to get customer data back, defying FBI guidance

Education technology company Instructure has "reached an agreement" with the hacker group that breached its systems for a second time earlier this month. Most recently, hacker group ShinyHunters had exfiltrated hundreds of gigabytes of data from the company's cloud-based learning management system Canvas.

This breach potentially exposed the names, email addresses, and private messages of about 280 million Canvas users. ShinyHunters had threatened to leak this data if Instructure did not make contact before a May 12 deadline, though Instructure now reports that the stolen data has been returned.

The company has additionally received "digital confirmation of data destruction (shred logs)" from ShinyHunters, and the assurance that "no Instructure customers will be extorted as a result of this incident, publicly or otherwise" (via TechCrunch). To date, Instructure has not disclosed the full terms of the agreements—financial or otherwise.

According to the BBC, a previous version of Instructure's security incident update read, "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible."

Official guidance frequently urges ransomware victims not to pay up. To begin with, one of the FBI's ransomware info pages advises that the bureau "does not support paying a ransom in response to a ransomware attack." The FBI also alluded to the Canvas breach in a post on X last week, writing, "If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands."

Besides the Canvas cyberattack, ShinyHunters has most recently breached Nvidia's GeForce Now—the hacker group claims that it "pulled their entire database straight from the backend." The group also demanded a ransom from GTA 6 studio Rockstar last month, though it was soon revealed that they didn't have all that much to leak in the end.

It has not yet been confirmed if or how much Instructure paid ShinyHunters in order to retrieve its stolen data. At the time of writing, the company's latest security incident update does not explain why the company chose to broker an agreement with the cybercriminal group. That said, Instructure leadership apparently intends to offer some clarity in an upcoming webinar, detailing "information about the cyber attack and our activities to harden the system."