ctipilot.ch

Home · Live brief · Weekly 2026-W20

Canvas / Instructure extortion — ransom paid, US House investigation, second-intrusion vulnerability re-exploited

notable synthesis discovered 2026-05-11 05:00 UTC

Entities: ShinyHunters

Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)

The W19 weekly closed with the Canvas / Instructure extortion deadline of 2026-05-12 pending. The trajectory through W20: Tuesday 2026-05-12: Instructure confirmed ransom payment to ShinyHunters with claimed data return and digital confirmation of destruction; second intrusion separately confirmed; per-institution leak deadline reset to the same day (daily 2026-05-12 UPDATE; The Record, 2026-05-12). Wednesday 2026-05-13: the US House Homeland Security Committee (Chairman Garbarino) opened a formal investigation and requested an Instructure CEO briefing by 2026-05-21 covering both intrusion circumstances, scope and nature of accessed data, IR adequacy, and CISA coordination (House Homeland Security Committee letter, 2026-05-11; daily 2026-05-13 UPDATE). Post-payment: ShinyHunters defaced approximately 330 institutional Canvas login pages by re-exploiting the same Free-For-Teacher account vulnerability that enabled the second intrusion — demonstrating that the "no customer extortion" covenant in the ransom agreement was at best narrowly observed and that the access vector was not actually closed (The Record).

The story matters to Swiss / EU public-sector defenders for three reasons that crystallise only across the multi-day arc. First, paying the ransom did not close the access vector: Instructure's patches did not eliminate the Free-For-Teacher abuse path, so the defacement wave is operational evidence that the underlying flaw remained exploitable; this is the "what did the patch actually fix" question every IR-receiving organisation should be asking of every paid-ransom-with-promised-fix vendor. Second, the seven Dutch universities (VU Amsterdam, UvA, Erasmus, Tilburg, TU/e, Maastricht, Twente) disconnected Canvas rather than wait for vendor remediation (NL Times, 2026-05-09) — a defender posture worth pattern-matching for any future SaaS-LMS / SaaS-LRS / SaaS-grade-management vendor compromise. Third, the US House investigation is the regulatory analogue Swiss / EU SOC managers should anticipate from cantonal education ministries; the questions Chairman Garbarino's letter lists (intrusion timeline, data scope, IR adequacy, CISA / national-CSIRT coordination) are the same questions a cantonal Bildungsdirektion will ask after the next EdTech SaaS incident. Outcome of the 2026-05-21 briefing is the open horizon item for 2026-W21.

ransomware data-breach organized-crime us europe