Canvas hack: Company pays criminals to delete students’ stolen data
Canvas Hack: Company Pays Cybercriminals to Delete Students’ Stolen Data
Canvas hack – A widespread cyber incident recently targeted the widely used Canvas platform, disrupting operations at thousands of educational institutions across the United States, Canada, Australia, and the UK. The breach, which occurred last week, led to significant chaos, with exams delayed and students unable to access critical coursework. Now, the company responsible for developing Canvas has reportedly agreed to a deal with the hackers, ensuring the stolen data was erased and the threat of its public release was averted.
Stolen Data Threatened Public Exposure
According to reports, the hackers seized approximately 3.5 terabytes of student and university information, including personal details, academic records, and possibly confidential communications. They issued a ransom demand, threatening to leak the data unless a payment was made in bitcoin. Instructure, the company behind Canvas, has confirmed it reached an agreement with the attackers, who claimed they deleted the data and committed to not exploiting it further.
While the exact amount of the ransom remains undisclosed, the decision to pay is seen as a strategic move to prevent the data from becoming public. However, cybersecurity experts caution that such payments can encourage more attacks, as they provide criminals with resources to continue their operations. In the past, ransomware groups have accepted money but retained the stolen data, selling it to third parties or using it for future extortion.
Previous Ransom Cases Highlight Risks of Payment
Law enforcement agencies have long advised against paying cybercriminals, emphasizing that it often lacks guarantees. For instance, in a case involving the LockBit ransomware group, investigators uncovered that the organization had not erased stolen data even after receiving payments. This pattern suggests that ransom deals may not always ensure the safety of sensitive information.
Similarly, the National Crime Agency recently discovered that a ransom payment to LockBit did not prevent the group from reselling data to private entities. These incidents underscore the challenges of relying solely on financial compensation to secure data. Instructure, however, argued that its action was necessary to minimize harm to students and educators.
Transparency and Public Acknowledgment
Instructure maintained a high level of openness throughout the crisis, regularly updating its website and the public on the situation. The company’s statement highlighted its commitment to safeguarding data, stating, “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible.”
“We have no comment on that.”
This transparency may have been influenced by the attack’s visibility, as it directly impacted students. For example, at Mississippi State University, a meteorology student named Aubrey Palmer shared their experience of being caught in the middle of an exam when a ransom message appeared on their screen. The note read: “Shiny Hunters has breached Instructure (again).” It warned that data would be released unless a ransom was paid in bitcoin by Canvas or the affected universities.
Palmer described the moment as shocking, noting that they and others had just completed a 2,900-word essay when the threat was revealed. “My knee-jerk reaction was that I’d been hacked myself, because that’s what it looked like,” Palmer said. The message caused confusion among professors and students, with many unsure if their work had been saved. As a result, Mississippi State University announced the postponement of some exams to allow students to recover any lost progress.
Shiny Hunters: A Familiar Threat
The extortion group behind the breach, Shiny Hunters, has a history of targeting organizations for financial gain. They typically steal data and use encrypted chat services to negotiate ransom payments in bitcoin. Shiny Hunters has previously claimed breaches at companies like Jaguar Land Rover and Gucci, demonstrating their ability to operate on a global scale.
Interestingly, the group has stated that it hacked Canvas twice before the most recent incident. Instructure disclosed the first breach in September 2025, while Shiny Hunters alleged a second breach in April 2026, occurring just before the 29 April attack. Despite these claims, the company did not confirm the details, leaving room for debate about the timeline and severity of the threat.
Impact on Students and Institutions
The disruption caused by the breach was particularly acute for students in the US, where exams were canceled or delayed. Many faced the challenge of revising without access to the Canvas platform, while others experienced interruptions during online assessments. The situation created a sense of urgency, as educators scrambled to ensure that coursework was not lost permanently.
Aubrey Palmer’s account illustrates the personal toll of the incident. “We were all focused on finishing our exams when the message came through,” they recalled. “It was a huge shock to see our institution targeted.” The same message was sent to professors and numerous students, leading to widespread anxiety about the security of their academic records. For some, the breach felt like a direct attack on their hard work and privacy.
Why Pay Ransom? A Company’s Perspective
Instructure’s decision to pay the ransom reflects a broader dilemma faced by organizations during cyberattacks. The company prioritized protecting student data over the risk of public exposure, acknowledging that the threat of data leaks could cause long-term damage to its reputation and the trust of its users. While the agreement terms remain unspecified, the company’s actions suggest a willingness to invest in resolving the crisis quickly.
Shiny Hunters’ method of operation relies on exploiting the vulnerability of victims, using intimidation to secure payments. By negotiating through encrypted channels, they ensure discretion while maximizing the financial incentive. The group’s English-speaking nature and youthful profile further position them as a modern, agile threat in the cybercrime landscape.
Broader Implications for Cybersecurity
The Canvas incident highlights the growing trend of ransomware attacks on educational institutions. As more schools and colleges adopt digital platforms, they become attractive targets for cybercriminals seeking quick financial rewards. Instructure’s case adds to a list of companies that have paid ransoms to avoid data breaches, raising questions about the effectiveness of such strategies.
Experts warn that while paying ransoms can provide temporary relief, it does not eliminate the risk of future attacks. The stolen data may still be in the hands of criminals, who could sell it to other entities or use it as leverage in subsequent negotiations. This uncertainty has led to calls for stronger cybersecurity measures and more robust data protection protocols in the education sector.
As the situation unfolds, the focus remains on the students affected by the breach. For them, the incident serves as a reminder of the fragility of digital systems and the need for proactive security measures. Instructure’s transparency, while helpful, also underscores the high stakes involved in such a crisis, as the company balances the immediate needs of its users against the long-term implications of its decision.