ShinyHunters breach Instructure Canvas LMS, claim 275M users and 3.65TB of student data from 9,000 schools including 44 Dutch institutions

ShinyHunters breach Instructure Canvas LMS, claim 275M users and 3.65TB of student data from 9,000 schools including 44 Dutch institutions

Briefly

"The criminal group ShinyHunters, which previously orchestrated the Snowflake supply chain attacks that compromised Ticketmaster and AT&T, claims to have stolen 3.65 terabytes of data affecting 275 million users across nearly 9,000 educational institutions worldwide, including private messages between students, teachers, and staff."

"In the Netherlands, 44 universities and schools are confirmed affected, from the University of Amsterdam and Vrije Universiteit to The Hague University of Applied Sciences. Dutch authorities have told students and staff to be vigilant. The hackers have told Instructure to pay up by 8 May or the data goes public."

"And the breach exposes a structural vulnerability in the way education has been digitised: the schools did not choose to be attacked, and they could not have prevented it, because the decision to entrust student data to a single vendor was made years ago, and the vendor's security was never theirs to control."

"The largest education data breach in history was not an attack on a school. It was an attack on a vendor. On 30 April, hackers exploited a vulnerability in the systems of Instructure, the company that makes Canvas, the learning management system used by 41 per cent of higher education institutions across North America."