The company that operates the online learning system Canvas said it reached a deal with hackers to delete data they stole in a cyberattack that created chaos for students, many of them in the middle of finals. Instructure, the parent company of Canvas, said in an online post that it reached an agreement with the unauthorized actor involved in the incident, then temporarily took the system offline while it investigated, locking out students and faculty.
Who Pays When the Platform Breaks
The disruption hit the people who depend on the system most directly: students and faculty members who were suddenly cut off from grades, course notes and assignments. Schools and universities use Canvas to manage nearly all aspects of instruction. The platform acts as a gradebook, a hub for digital lectures and course materials, a discussion board for classroom projects, and a messaging platform between students and instructors. Some courses also give quizzes and exams on the platform, or use it as a portal where final projects and papers are submitted on deadline.
That dependence turned a breach into a full-scale institutional chokehold. Instructure did not provide details on the agreement with the hackers, including whether it involved a payment, and did not say who was behind the hack. The company said Monday that it also received “digital confirmation” that the hackers destroyed any remaining copies, in the form of “shred logs.” Instructure acknowledged that there was no way to be sure the data was erased for good and said it took action because of concerns about potential publication of the data.
Instructure said, “While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible.”
The Ransom Logic
A hacking group named ShinyHunters claimed responsibility for last week’s breach and threatened to leak data involving nearly 9,000 schools worldwide and 275 million individuals if schools did not pay a ransom by May 6. The group later extended the deadline, indicating some schools had engaged with them to negotiate. ShinyHunters also was behind a smaller breach of Instructure last year.
A lawsuit filed last week in federal court in Utah alleged Instructure did not do enough to protect the platform used by millions of students and made itself “easy prey for cybercriminals.” That complaint sits alongside the company’s own scramble to contain the damage, a familiar pattern in which the people at the bottom absorb the consequences while institutions argue over liability after the fact.
Cybersecurity experts were skeptical it was the end of the attack. Cynthia Kaiser, a former deputy director of the FBI’s Cyber Division and now the senior vice president of the Halcyon Ransomware Research Center, said the reported deal suggests that a ransom was likely paid. She said, “What victims must understand is that payment does not end the threat. Stolen data will be used against clients and users for as long as it remains profitable to do so.”
What Was Taken, What Was Left
The data breach appeared to involve student ID numbers, email addresses, names and messages on the Canvas platform, Instructure’s chief information security officer, Steve Proud, said earlier this month. The company found no evidence that passwords, dates of birth, government identification or financial information were compromised. Instructure said it was working with “expert vendors” to do a forensic analysis, “further harden” its systems, and carry out a “comprehensive review of the data involved.”
The language is polished, but the reality is blunt: a system used by millions of students was locked down, students were cut off in the middle of finals, and the company that runs the platform responded by negotiating with the people who stole the data. The company said it reached an agreement, but gave no details. It said it got “digital confirmation,” but admitted there was no way to be sure the data was erased for good.
The breach appeared to involve the basic identifiers and messages that make the platform function as an all-in-one classroom apparatus. The panic last week among students and faculty members came when they were locked out of a platform they rely on to manage grades and access course notes and assignments. That is the hierarchy in plain view: a centralized educational system, a private company running the infrastructure, and the people who need it most left scrambling when the machine goes down.
Heather Hollingsworth contributed to this report.