Michael Feldstein on the implications of the Canvas hack:
Let’s be clear: This was not some rando script kiddie waltzing through a wide-open back door. The hackers used multiple attack vectors, including Canvas’s open course sites, their help desk software, and social engineering through a help desk call. Instructure is SOC 2 compliant, meaning they’ve had intrusive third-party security audits. The criminals wanted Instructure to let the public know the name of their organization and the fact that they returned the data after the ransom was paid. Why? Advertising. The criminals wanted future victims to know that paying the ransom gets them something in return. Selling students’ private information to the internet isn’t their business model. They’re cyber kidnappers.
This is organized crime. They want us to know that, when they come for us, on whatever platform they attack next, we should pay them.