A notorious hacker group threatened to leak massive amounts of data stolen from universities, including several in Sweden. Now, the leak appears to have been stopped after the company behind the compromised service reportedly reached an “agreement” with the cybercriminals.
Darknet Threat Removed
A major data breach affecting numerous Swedish universities appears to have been contained. The cybercriminal group known as Shiny Hunters has removed its threat from its darknet leak site, where stolen data is often published if ransom demands are not met.
Shiny Hunters has built a reputation for targeting large organizations, stealing sensitive data, and demanding payment in exchange for not releasing it publicly. Previous victims reportedly include major brands such as SoundCloud and Zara.
This time, the target was Instructure, the company behind Canvas, one of the world’s most widely used learning management systems. Canvas is used by educational institutions globally, including many Swedish universities. The attackers are believed to have gained access to a vast amount of personal information and internal communications.
“Agreement” Raises Questions
Instructure has announced that it has reached an “agreement” with the group responsible for the attack. While the company has not disclosed the details of the arrangement, cybersecurity experts believe it may indicate that a ransom payment was made.
“I can’t interpret it any other way than that they paid,” said cybersecurity specialist Karl Emil Nikka, while emphasizing that he does not have direct insight into the exact circumstances of the agreement.
The company also stated that it has received “confirmation” that the stolen data has been destroyed. According to Instructure, this confirmation came in the form of log files provided by the attackers. However, experts warn that such evidence can be fabricated.
Instructure further claims to have received assurances that affected organizations and individuals will not face any future extortion attempts related to the incident.
Can Cybercriminals Be Trusted?
In a public statement, Instructure explained its decision:
“While it is never possible to be completely certain when dealing with cybercriminals, we felt it was important to take every action within our control to provide customers with as much additional assurance as possible.”
Karl Emil Nikka remains cautious.
“Those kinds of promises are only worth something as long as the group remains active and cares about its reputation. We’ve seen extortion groups claim they deleted stolen data, only for it to later emerge that they kept it.”
Millions Potentially Affected
More than 30 Swedish higher education institutions use Canvas, including Uppsala University, Chalmers University of Technology, the University of Gothenburg, KTH Royal Institute of Technology, and the Swedish Defence University.
Globally, the breach is believed to have impacted as many as 275 million users, making it one of the largest education-related cybersecurity incidents in recent years.
The potential exposure of private conversations and academic communications has raised concerns among both students and faculty members.
“It’s very unsettling to know that conversations held in confidence between students, and between students and teachers, could potentially be exposed,” Henrik Dahlberg, Press Officer at Chalmers, previously told Swedish news agency TT.
A Reminder of Growing Cybersecurity Risks
Although the immediate threat of a public data dump may have been avoided, the incident highlights the growing risks facing educational institutions and cloud-based platforms. Whether the stolen information has truly been deleted may never be known with certainty, leaving universities and their users hoping that the attackers keep their word.
