Blank Canvas

This month’s post concerns the extortion of Instructure, the company that owns the online learning platform Canvas. Canvas is used by thousands of universities and other educational institutions around the world, and provides multiple functions, including for sharing course materials like lecture slides and communicating with students. It can also be used to publish assessments, receive submissions and facilitate marking.

While it is likely that Canvas was breached over a longer period of time, on May 7 the attackers defaced the login page with a public extortion demand and Instructure disabled the platform in response. ShinyHunters, a shadowy network of (probably) young offenders well-known for similar extortions, claimed responsibility. On May 11, a ransom payment was made in exchange for data return, the destruction of stolen data and a promise to cease extortion attempts against Instructure and its customers. For more details on this episode see here, here and here.

Many likely did not take notice of this attack. Canvas is not a big brand that would attract the same level of media attention as more famous entities, such as Harrods or MGM. It is so niche to the education sector, that even some working in cyber threat intelligence may not have paid much attention to the news. But if you work in the education sector, as I do, the episode was immediately noteworthy as it had a direct impact on day-to-day operations. This speaks to the scale and breadth of modern-day cybercrime: beyond the headlines, many victims remain hidden below the surface.