Canvas software maker Instructure announced an agreement with hackers who breached its systems twice, though the company offered no assurance the attackers will honor the deal or refrain from releasing stolen data.
Instructure, which provides Canvas learning management software to schools and universities worldwide, disclosed it has reached an agreement with the threat actors responsible for two separate security breaches.
The company did not disclose specific terms of the deal or explain what concessions were made. In a statement, Instructure said it "reached an agreement" with the hackers but provided no guarantees regarding data protection or the attackers' future conduct.
The lack of transparency raises significant questions about the effectiveness of such negotiations. Cybersecurity experts have long warned that paying or negotiating with threat actors provides no binding assurance that stolen data will be deleted or withheld from public release. Hackers can easily copy files before agreeing to terms, then distribute the information later for additional profit.
Instructure serves educational institutions across multiple continents, making any data breach a concern for millions of students and staff members. The nature of the information accessed during the two breaches has not been fully disclosed.
This incident highlights the difficult position organizations face when targeted by cybercriminals. Schools and universities often choose negotiation as a last resort to minimize potential harm, despite the inherent risks of dealing with attackers who operate outside legal systems.
The company has not announced whether it will notify affected users about the breaches or provide details on what data was compromised. Instructure said it is working to strengthen security measures, a standard response that typically follows major incidents.
The agreement comes as educational institutions increasingly face cyberattacks. Ransomware gangs and data thieves frequently target schools due to their valuable student and staff records, often combined with limited IT resources compared to larger enterprises.
Users of Canvas should monitor their accounts for suspicious activity and consider changing passwords as a precautionary measure.
Australia's eSafety watchdog will investigate whether major adult websites are allowing users to bypass age verification requirements using virtual private networks (VPNs). The probe follows new regulations introduced in March requiring age checks on adult content.
Dutch National Police have identified strong evidence that Dutch hackers were responsible for a February breach at telecommunications provider Odido. The investigation marks a significant development in the case.
Surveillance technology company Flock Safety did not issue a cease-and-desist letter to The Saturday Salon, a Newport Beach lecture series, despite claims posted on Instagram Thursday. The incident reignites debate over the company's practices and relationship with law enforcement.
The US Cybersecurity and Infrastructure Security Agency revealed it lacked a prepared incident response plan during a recent security event, forcing it to develop procedures in real time.