So, err, Instructure have been in the news for rather unfortunate reasons. I didn’t know if I should say anything about this, but of course my team and I have been keep busy by it, and I have some thoughts on the situation, so first I’ll reiterate that this is my personal blog, and is in no way affiliated with, and my views are not endorsed by the University of Sunderland, or Instructure. Necessarily.
The purveyors of Canvas, Sunderland’s VLE for the past decade or thereabouts, were hacked on the 25th of April. They didn’t discover the intrusion until the 29th, and we didn’t know until we came back from the bank holiday Monday. It did explain all the alerts sitting in my mailbox from the weekend though. In the four days that the hackers were in, they extracted data from almost 9,000 institutions using Canvas, which included names, email addresses, student IDs, and ‘messages’. 275 million individual users, between 3 and 6 terabytes of data, according to different sources. That’s a lot of damage! The largest educational security breach in history according to the Wikipedia article on the topic. (So big it has a Wikipedia article.)
Instructure believed that they had resolved the incident and refused to pay the initial ransom* demand, but after the deadline passed the hacking group got in again on May 6th/7th and placed a warning message on the Canvas homepages of around 330 institutions (but no additional data was stolen). At that point Instructure took the entire service offline while they fixed that, and subsequently paid the ransom demand in an attempt to fully resolve the situation and restore trust and confidence in Canvas.
Of course Sunderland have been affected, and in due course we’ll be getting an individualised report on exactly what data of ours was included in the breach. We were initially frustrated by what we saw as a lack of response and clear communication from Instructure, but they have responded to that feedback well, acknowledging that they were flooded with enquiries in the initial aftermath and simply couldn’t keep up. And of course they had a lot of work to do to secure their systems before being able to share specific details with their partners. We know now that the attackers used Instructure’s Free-for-Teachers platform and cross-site scripting to gain access to their backend support systems. Free-for-Teachers remains offline, but the core Canvas system is back and fully operational, and complete downtime was limited to only 8 hours or so during the second attack, and this was overnight in the UK so we were minimally affected. I’ve been on a number of calls and webinars about the incident, of course, and I’m quite confident that Instructure have fortified their security across the board to minimise any further attack opportunities.
What I’m less confident about was the wisdom of paying the ransom, for “once you have paid him the Danegeld / You never get rid of the Dane”, as Kipling put it. Of course I’m not a lawyer, or a cybersecurity boffin, and I’m certain that this was an extremely difficult and complex decision for Instructure. However, as well as the moral principle of not paying ransom, there are very strong practical reasons why you shouldn’t, namely that you can’t trust criminals! Even Instructure’s own statement on the matter included a very large caveat that the hacking group could not be trusted, and they couldn’t be completely certain that the stolen data was destroyed, as claimed. The Reg published a great article on the fallout of the attack in which they explain this very well:
“CrowdStrike surveyed 1,100 global security leaders last summer, and of the 78 percent who said they experienced a ransomware attack in the past year, 83 percent of those that paid ransoms were attacked again. Plus 93 percent lost data regardless of payment.”
As a result, my concern is that this isn’t actually over, and has the potential to reappear further down the road. Had Instructure not paid, the data would have been leaked on the dark web, and it would have been very bad for everyone involved, but from that point I feel like we could all have rebuilt and recovered. Instead we may have a sword of Damocles hanging over us.
It’s a sad state of affairs that in the world we’ve built this is a common occurrence. Everyone gets hacked. Sunderland itself were hacked back in 2021 in what we now refer to as ‘the cyber security incident’. Part of the problem is that we’ve all outsourced data into huge silos managed by a small handful of tech giants. When I began my career, long, long ago, we ran Blackboard on our own servers. Our data, managed by the university, in a server room on campus with a mirrored offsite backup. It’s an approach that had its advantages. While I’m sympathetic towards Instructure, and I think they’re less likely to suffer from future incidents as a result of the security hardening measures they’ve put in place, I know that there are institutions who have already spun up a Moodle server almost overnight and moved away, possibly permanently. We’ve made our own contingency plans at Sunderland which I won’t talk about, and I’m looking forward to NELE in a few weeks to gossip with the gang and find out more about how Newcastle have handled things.
Something useful that I learned was that Jisc in the UK are constantly monitoring the dark web looking for evidence of data leaks which may affect any institution, and Instructure have contracted with a security agency who are doing the same thing on their behalf as part of their response to the incident.
More and up to date information is available on Instructure’s Incident Update webpage.
* These kind of attacks are called ‘ransomware’, but as a Reg Commentator commented, it would be more accurate to call this kind of attack blackmail.