Instructure Pays Canvas Hackers To Delete Students' Stolen Data (bbc.com)
- Reference: 0183199953
- News link: https://yro.slashdot.org/story/26/05/12/2013211/instructure-pays-canvas-hackers-to-delete-students-stolen-data
- Source link: https://www.bbc.com/news/articles/cdepzg83x87o
> Paying cyber criminals goes against the advice of law enforcement agencies around the world, as it can fuel further attacks and offers no guarantee the data has been deleted. In previous cases, criminals have accepted ransom payments but lied about destroying stolen data, instead keeping it for resale. For example, when the notorious LockBit ransomware group was hacked by the National Crime Agency, police found stolen data [4]had not been deleted even after payments had been made.
>
> Instructure said in a statement on its website that protecting students' and education staff data was its primary motivation. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said. Instructure did not set out the terms of the agreement but said that it meant that:
> - the data was returned to the company
> - it received "digital confirmation of data destruction"
> - it had been informed that no Instructure customers would be extorted as a result of the incident
> - the agreement covers all affected customers, with no need for individuals to engage with the hackers
[1] https://www.instructure.com/incident_update
[2] https://it.slashdot.org/story/26/05/08/0622227/the-canvas-hack-is-a-new-kind-of-ransomware-debacle
[3] https://www.bbc.com/news/articles/cdepzg83x87o
[4] https://therecord.media/lockbit-lied-about-deleting-exfiltrated-data-after-ransom-payments
SUCKERS (Score:3)
Sure they deleted it. Now, how long before the 'deleted data' starts showing up elsewhere? Any guesses?
Re:SUCKERS (Score:4, Funny)
But they have digital confirmation!
Re:SUCKERS (Score:5, Funny)
I hope it is in the form of an NFT, they shouldn't trust anything else.
Re: (Score:1)
These groups make money with their reputation. If paying them didn't guarantee deletion, guess how many people will pay them in the future?
Hahaha (Score:3)
I have deleted the data but you didn't pay to delete the backup
Re: (Score:2)
"Yes, you did pay to delete the backup... but not the redundant copy."
Re: (Score:3)
3-2-1 rule comes into play. LOL
Re: (Score:2)
> I have deleted the data but you didn't pay to delete the backup
One has to be very specific when making deals with goblins.
Pinkie-Swearman Key Exchange (Score:5, Insightful)
'The company says it received "digital confirmation" that the information was destroyed and that affected schools and students would not be extorted. The BBC reports.'
For a company that makes education software, they sure must think their customers and users are pretty stupid.
Re: (Score:3)
Well, odds are the people in charge at Instructure are relatively stupid themselves. It's like the old Sherlock Holmes quote: "Mediocrity knows nothing higher than itself" - the Instructure leadership probably can't fathom how anyone smarter than them could exist.
Given how people keep stupidly paying these ransoms... maybe it's time to criminalize that act.
Re: Pinkie-Swearman Key Exchange (Score:2)
If they weren't they wouldn't buy their shit, so they KNOW they're stupid
Re: (Score:3)
> How do you feel about Iran's terrorist demands?
I feel like they are asking for the sun. Are you new to negotiations?
I also feel like all of this could have been avoided by just not doing what we've been doing. For decades.
Re: (Score:2)
Users get a pass! Functionality and security were not the drivers in the selection process. Users are trapped because the school administrators and school boards chose the educational product they received the biggest kick backs on.
Re: Pinkie-Swearman Key Exchange (Score:2)
I doubt the Canvas people are bribing educators and education administrators.
The truth is likely far more banal: Canvas is one of those "crappy but checks the boxes" products, like Jira or Slack. In other words, it's a "no one ever got fired for buying IBM" kind of product.
next, they'll raise prices to cover the expense (Score:3, Informative)
I repeat my call for legal liability for companies that sell products or services with errors, including security vulnerabilities.
Re: (Score:2)
Security liability should apply across the supply chain. But if you're ok with blaming God for mistakes made by incompetent developers, that's I guess your religious freedom at work...
Re: (Score:2)
"Act of God" is a legal term of art. You should be blaming lawyers and governments.
So complex there are no obvious problems... (Score:2)
... Or so simple there are obviously no problems. It seems we have lost the ability to do the latter.
I mean, a computers Bios should be an exceedingly simple thing, with only enough smarts to initialise storage, copy bytes into ram, check that those bytes are properly signed and then pass execution to them. Instead it is a full environment that never gets patched. This means that no one can build a secure system, because it's built on series cheese.
This is Bad (Score:3)
This all but guarantees an increase in ransomware attacks. There won't be any increase in defense against these kinds of attacks because it's easier and cheaper to pay the ransom. The losers here will be the users because of all the downtime and there will inevitably be leaks anyway.
Paying the ransom is reprehensible since it will cause so much pain for other people in the future, and should be illegal.
Re: This is Bad (Score:2)
There's pretty much only two other places on Earth where similar situations exist (territorial waters closing off an international body of water and controlled by states not dedicated to free trade). The first is the Red Sea, which is contained by Suez and Bab al-Mandab. The other is Indonesia at Malacca. Malacca is super easy to work around, and the Red Sea has two exits and much of it's critical exports can use the Persian Gulf, so it would require far more coordination.
Re: (Score:2)
> Which is the exact reason nobody should allow Iran to steal the Strait of Hormuz.
I didn't think there was this problem with the SoH a few months back - was Iran trying to claim it last year?
They should be shut down corporate charter revoked (Score:2)
Paying just makes them look bad twice, the first time was losing the data.. Now they just supported ransomware attacks to increase.
They will be sued by the next victims (Score:1)
The next major ransomware victims will sue Instructure for encouraging ransomware attacks.
Sounds good! (Score:1)
I mean, if you can't trust criminals, who can you trust?!?
Re: (Score:2)
>> I mean, if you can't trust criminals, who can you trust?!?
> Well, the Mob did dispose of the bodies (they never found Hoffa's remains), and did have a code of honor to follow through on their commitments.
The term "honor" has always been somewhat flexible in interpretation in criminal organizations.
The current miscreants appear to live by a different code than the reported approach used by the mob (and their families).
Paying for something that cannot be confirmed (Score:2)
> "We never pay any-one Dane-geld,
> No matter how trifling the cost;
> For the end of that game is oppression and shame,
> And the nation that plays it is lost!"
— Rudyard Kipling (1865-1936), Dane-geld, Stanzas 5-6
There is a good reason that law "law enforcement agencies around the world" advise again paying cyber criminals. And it isn't because law enforcement is dumb, or that they like seeing you getting your data stolen.
Nothing like making crime pay! (Score:2)
Guaranteeing more cyber crime when crime pays really well! Next time they will need to pay more. And everyone knows the data has already been sold.
"confirmation" (Score:2)
No wonder they got hacked, if they think they can get confirmation that it was deleted. It's not a serious company.
Re: (Score:2)
But they sent a video of someone in a mask drilling out a hard drive!
What idiots (Score:2)
Honestly, what idiots to fall for the scam. I know my data is in there somewhere, but I have no doubt by paying the ransom, they've only perpetuated the business model further. There is no honour amongst thieves.
Bad move (Score:2)
Personally, I subscribe to the 'Shoot the hostage" school of negotiating with criminals.
Re: (Score:2)
Pop quiz, hotshot... oh shit, Canvas leaked all the quiz answers. Nevermind.