The recent data breaches at education-technology platform Canvas are among the weirder, most-widespread break-ins. They affected schools worldwide — in some cases disrupting final exams. The communications from the parent company were so lacking that the CEO apologized for them, admitting it focused too much on fact-gathering.

Given that the breaches happened around finals, the timing wasn’t good. Some schools canceled their exams — it’s a huge reputational hit to the parent, Salt Lake City–based Instructure Inc. The story got wide coverage not only in mainstream media writing about local schools, but in college and even high-school publications — exactly Canvas’ customer base.

ShinyHunters, the group that’s taken credit for the breaches, said its efforts affected 275 million students and faculty at 9,000 educational institutions, from K-12 schools to colleges and universities. The cybercriminals demanded a ransom. The Canvas platform is used to manage coursework, assignments and student-teacher communication.

Situation Contained

Instructure first announced an incident on May 1 on its status page, where the bulk of its communications has been located — more on that below. By the next day, the company said it thought the situation was contained. It said it believed names, email addresses, ID numbers and private conversations of students and teachers were taken, but not passwords, dates of birth, government identifiers or financial information.

Instructure’s next update didn’t come until May 6, when it said Canvas was fully operational. The company said it would no longer update on the status page but would do so “as appropriate through other channels.” It was now “communicating directly with impacted customers to provide organization-specific information and support,” it said.

To ramp up the pressure, on May 7 ShinyHunters broke into the Canvas log-in page and wrote, “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’” The group said individual schools should negotiate their own ransom payments. It gave a deadline of May 12.

In response, Instructure pulled Canvas offline, referring to it as “scheduled maintenance” — which, along with the lack of comms in general, was a problem in that it wasn’t truthful.

‘Consistent Communication’

Instructure CEO Steve Daly has since written a letter, which is undated — another gaffe — on its website. It starts with an apology about the bad communications: “Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that.”

Daly went on to explain that the company gave precedence to fact-gathering rather than communicating. While you must get the facts straight in a crisis, it’s a mistake to leave a communications vacuum. At least let your stakeholders know what you know and that you’re working to learn more.

Daly wrote: “Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward.”

Dedicated Page

Daly said that Instructure would now have a web page dedicated to the breach. Not having that sooner — relying on the status page — was also a blunder.

Finally, on Monday this week (the day before the ransom deadline), Instructure announced it reached a deal with ShinyHunters in which the group returned the stolen data and provided evidence that it destroyed the information on its end. The deal means no Canvas customers need to negotiate with the cybercriminals, Instructure said.

The company didn’t disclose what it gave ShinyHunters as part of the deal.

Image Credit: Geralt/Pixabay

Sign up for our free weekly newsletter on crisis communications. Each week we highlight a crisis story in the news or a survey or study with an eye toward the type of best practices and strategies you can put to work each day. Click here to subscribe.