Instructure's Deal with Cybercriminals: A Target on Their Back
Instructure, the company behind the Canvas learning platform, has found itself in a precarious situation after negotiating with hackers responsible for a major data breach. This move has raised eyebrows among cybersecurity experts, who warn that it could leave the company vulnerable to further extortion attempts.
The breach, attributed to the hacking group ShinyHunters, exposed personal information belonging to approximately 275 million people across various countries. The data included usernames, email addresses, course details, and messages, causing significant concern for students and educational institutions alike.
The Negotiation and Its Implications
Instructure's decision to negotiate with the hackers has sparked debate. While the company claims the data has been returned and destroyed, along with assurances that customers won't be extorted, some experts argue that this approach may have unintended consequences.
Cybersecurity consultant Luke Irwin suggests that the payment of a ransom, estimated at US$10 million, could make Instructure a target for future attacks. He explains that hackers often add organizations that pay ransoms to their 'sucker list', increasing the likelihood of further extortion attempts.
The Australian government's stance on ransom payments is clear: it discourages companies from paying, as there's no guarantee it will prevent data leaks or additional cyber attacks. This aligns with the views of the public, as a survey revealed that over 55% of respondents had their data stolen in the past year, with 52% opposing ransom payments.
A History of Cybercriminal Tactics
ShinyHunters, a well-documented criminal group, has a history of large-scale data theft and extortion. Their modus operandi involves exploiting vulnerabilities, exfiltrating sensitive data, publicizing the theft, and pressuring victims into paying ransoms to prevent public disclosure. This pattern of behavior highlights the challenges organizations face in dealing with cybercriminals.
The Impact on Instructure and Its Customers
The data breach has had far-reaching consequences. Instructure's inability to contain the threat actor following the initial intrusion has raised questions about its incident response capabilities. This has led to multiple lawsuits against KKR, the global investment firm that owns Instructure, and scrutiny from the US Department of Homeland Security.
The company's actions have also sparked concern among educational institutions and students. The disruption to the learning platform and the potential exposure of sensitive information have caused significant distress. The Australian government's involvement in assessing the impact and improving cybersecurity in the higher education sector further underscores the gravity of the situation.
Conclusion: Learning from the Breach
Instructure's negotiation with hackers has sparked important discussions about the best approach to dealing with cybercriminals. While the company's intentions may have been to mitigate the immediate damage, the potential long-term consequences are significant. This incident serves as a stark reminder of the need for robust cybersecurity measures and the importance of learning from past mistakes to prevent future breaches.
