Two months after Instructure struck a deal with hackers to salvage stolen user data, the company that owns the popular learning management system Canvas has suspended delivery of data related to the hack due to a potential security threat from a third-party delivery platform.
In May, a criminal ransomware group known as ShinyHunters hacked Canvas twice and claimed to have accessed the personal information of 275 million people across 9,000 institutions. At the time, the company said the leaked information included names, email addresses, student ID numbers and user messages, but it “found no evidence that passwords, dates of birth, government IDs or financial information were involved.”
Afterwards, Instructure CEO Steve Daly promised to be “transparent about what happened” and provide K–12 schools and higher education institutions with “information as quickly as possible.” Over the past two months, Instructure has been working “to conduct a detailed forensic examination of the data associated with this incident,” Daley said in a memo last week.
On Tuesday, the company was expected to provide institutions with the first wave of data related to the breach.
Instead, Daly said Tuesday that the company is “pausing data delivery out of an abundance of caution” after learning that “the third-party platform we chose to deliver your data may have been exposed to a security risk.” (In a previous note, Instructure said institutions will receive data “via a secure, permissioned ShareFile link sent directly from Sharefile only to security contacts designated by your institution.”)
Daly assured customers, which include 41 percent of higher education institutions in North America that use Canvas to deliver courses, that while their “data remains secure,” the company “will only act when we are confident that the third-party platform is secure… Security is of the utmost importance, and before we upload your data, we want to take the time to evaluate the security of the platform or find an alternative.”
This article has been updated to clarify that the potential security risk was from a third party vendor. There have been no data breaches at Instructure.