Hackers Constantly Break ‘Confirmation of Data Destruction’ Promises
In a troubling incident that highlights the ongoing battle against cybercrime, the online learning platform Canvas experienced a significant disruption during a critical exam season. This disruption escalated after Instructure Holdings, the developer of Canvas, decided to pay a ransom to cybercriminals known as ShinyHunters, with the hope that they would delete the stolen data. However, the effectiveness and reliability of such a payment have come under scrutiny, raising serious questions about the ethics and consequences of complying with cyber extortionists.
Instructure, based in Utah, is known for providing both free and paid versions of its online learning platform, boasting over 30 million active users who include instructors and students. Following a significant breach of its systems, Instructure publicly acknowledged reaching an agreement with the unauthorized actors involved, although they refrained from disclosing the amount paid to the hackers. The situation escalated further when ShinyHunters reportedly breached Instructure’s systems not once, but twice within a short span.
The hackers’ tactics involved a brazen strike against Instructure’s infrastructure on a Thursday. They redirected users of Canvas across K-12 and higher education to a ransom note that claimed, "Instead of contacting us to resolve it, they ignored us and did some ‘security patches’," emphasizing a common strategy employed by ShinyHunters to exert pressure on their targets. Experts have indicated that the group appears to consist primarily of Western teenagers, further complicating the landscape of cyber threats.
This group has not only pressured Instructure but also targeted its customer base. It claimed to have identified around 8,800 victims, pressuring them for individual payoffs in exchange for assurances that their stolen personal data, such as names and email addresses, would not be disclosed. Organizations like Instructure, entrusted with sensitive data—especially regarding minors—find themselves in a precarious situation when faced with extortionists, caught between a desire to restore trust and the implications of paying ransoms.
Instructure communicated to its users that the stolen data had been returned to them and that they had received "digital confirmation of data destruction" in the form of shred logs. Additionally, the company assured its customers that no extortion would occur as a result of this incident, claiming that all impacted individuals were covered by the agreement with the hackers.
However, the cybersecurity community has expressed significant concern regarding this incident. Experts such as Alan Woodward, a visiting professor at England’s University of Surrey, lament the growing trend of paying off cybercriminals, viewing it as a practice that merely encourages ongoing cyber extortion. Paying ransoms can perpetuate a harmful cycle, reinforcing the idea that such extortion is a lucrative business model.
Furthermore, for organizations like Instructure, the act of paying ransoms does not guarantee a positive outcome. Cybersecurity specialists point out that such transactions are often built on shaky grounds; there is little assurance that the criminals will honor their promises to delete stolen data. Ciaran Martin, a professor at Oxford University and former CEO of Britain’s National Cyber Security Center, echoed this sentiment, highlighting the irony in placing trust in criminals for data deletion when they might still sell the data for their gain, despite any assurances.
The skepticism surrounding ransom payments is not unfounded. Historical evidence suggests numerous instances where attackers have failed to delete data even after receiving ransom payments. For example, after a December 2024 breach of PowerSchool, a widely used platform in K-12 education, the company opted to pay a ransom for data deletion. However, it was soon revealed that stolen data remained in circulation, resulting in further extortion attempts against affected organizations.
Similarly, following an operation led by the National Crime Agency that dismantled the notorious ransomware group LockBit, it became apparent that the group had not deleted data as promised despite multiple ransom payments made by various victims. Experts have observed that paying ransoms often leads to an increase in public exposure rather than a decrease, countering the very objective organizations aim to achieve.
The Canvas incident serves as a stark reminder that proactive measures to prevent data theft are crucial. Mitigating threats before they escalate and ensuring robust security measures should be prioritized. In the face of cyber extortion, the path forward becomes a complex tradeoff filled with ethical dilemmas and operational risks. Ultimately, organizations must weigh the implications of complying with ransom demands against the reality of a landscape fraught with ethical compromises and questionable assurances.