When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Key Takeaways
- Ransom Paid, Data Allegedly Destroyed: Instructure, maker of the widely used Canvas platform, confirmed it reached an agreement with ShinyHunters hackers, who claim to have destroyed stolen data after two breaches affecting potentially 275 million users.
- Risky Precedent Amidst Warnings: The decision to pay an undisclosed ransom contradicts advice from governments and security experts, who warn against incentivizing cybercriminals and highlight the unreliability of hacker promises, as evidenced by the PowerSchool incident.
- Lingering Security & Accountability Concerns: Despite the agreement, Instructure faces scrutiny over its cybersecurity posture, having been breached twice in a year. Questions about the company’s leadership accountability and the true extent of data integrity remain unanswered, raising alarms across the education technology sector.
Instructure Pays Ransom to ShinyHunters After Double Breach, Raising Alarms Over Ed-Tech Security
Instructure, the company behind the ubiquitous school information portal Canvas, has confirmed it “reached an agreement” with the notorious cybercrime group ShinyHunters following two disruptive data breaches. The financially motivated hackers, who claimed to have stolen an immense volume of student and staff data—potentially impacting 275 million individuals—have reportedly provided proof of data destruction and pledged not to extort Canvas customers further. While the immediate crisis appears to be defused, the undisclosed financial terms and the very act of negotiating with cybercriminals ignite a fierce debate over cybersecurity best practices and the growing vulnerability of critical education infrastructure.
The saga began on April 29 when ShinyHunters first claimed responsibility for a significant breach, asserting compromise of Canvas, a platform relied upon by nearly 9,000 schools globally for managing student data and coursework. The situation escalated dramatically last week when the group executed a second breach, defacing Canvas login pages across school websites. This brazen act was a clear tactic to intensify pressure on Instructure to meet their ransom demands.
The Agreement: A Risky Truce in the Digital Underworld
In an update posted on its incident page late Monday, Instructure stated that the agreement included evidence from ShinyHunters that the stolen data had been destroyed and that Canvas customers would not face direct extortion from the group. A representative from ShinyHunters echoed this, telling TechCrunch: “The data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.” This statement, coupled with the removal of Instructure’s listing from ShinyHunters’ leak site, strongly suggests that a ransom payment was made.
However, the company remained tight-lipped about the financial specifics of the agreement. Instructure spokesperson Brian Watkins did not respond to requests for comment or provide details regarding the amount paid. While Instructure acknowledged the inherent risks, noting there is “never complete certainty” when engaging with cybercriminals, their primary justification was to shield customers from direct engagement with the hackers.
The Shadow of Ransom Payments: A Divisive Strategy
Instructure’s decision to pay the ransom immediately thrusts it into a contentious debate. Governments worldwide, including the United States, have consistently urged victims of cybercrime to refrain from paying ransoms. The rationale is clear: paying incentivizes cybercriminals, fuels their operations, and establishes a dangerous precedent. Security researchers frequently highlight the critical issue of trust—or lack thereof—when dealing with malicious actors. There are documented cases where hackers, despite promising data destruction, have retained copies for future extortion attempts or sold them to other crime groups.
This concern is not theoretical. The incident strikingly mirrors a cyberattack earlier in 2024 on PowerSchool, another major provider of school information software. PowerSchool also reportedly paid a ransom to retrieve stolen data affecting 70 million students and staff. Yet, in a chilling turn of events, several of PowerSchool’s customers were subsequently targeted by a different crime group, which presented evidence of data from the original breach that had clearly not been destroyed. This precedent casts a long shadow over Instructure’s agreement, leaving many to question the long-term effectiveness and wisdom of their choice.
Adding to the caution, the FBI issued a statement last week acknowledging the “system disruption affecting schools and educational institutions” and explicitly advising victims “not send payment or respond” to cybercriminal demands. While the notice did not name Canvas directly, its timing and context were unambiguous.
The Scale of Compromise: What Was Stolen?
The data stolen from Instructure, some of which TechCrunch has independently reviewed, paints a concerning picture. It includes sensitive personal information such as students’ names, personal email addresses, and even private messages exchanged between teachers and students. The potential exposure of such intimate and academic communications raises significant privacy concerns and opens individuals to risks ranging from identity theft to phishing attacks and further targeted exploitation.
Two Breaches, One Year: A Security Scrutiny
Compounding Instructure’s challenges is the revelation that ShinyHunters managed to breach the company’s systems twice within a year. While Instructure insists these were “distinct events” involving different internal systems, this admission raises serious questions about the robustness of their cybersecurity architecture, incident response protocols, and overall risk management. The company stated it is still investigating both breaches and validating its findings, but the repeated compromises suggest fundamental vulnerabilities that need urgent and comprehensive addressing.
Unanswered Questions and Leadership Accountability
Beyond the immediate aftermath of the agreement, significant questions linger regarding Instructure’s internal accountability. It remains unclear who within Instructure is ultimately responsible for cybersecurity, or if the buck stops with CEO Steve Daly. When pressed by TechCrunch, Instructure declined to comment on whether Daly plans to resign in light of the repeated security failures. This lack of transparency regarding leadership responsibility, coupled with the undisclosed ransom amount, further erodes trust among customers and the broader public.
The incident underscores the increasing sophistication of cyber adversaries and the critical need for robust security postures, particularly in sectors like education technology that handle vast amounts of sensitive data pertaining to minors and educators. The decision to pay a ransom, while perhaps offering immediate relief, may inadvertently contribute to a cycle of future attacks, making the entire ecosystem more vulnerable.
Are you a Canvas administrator or school notified about the breach? Have you received an extortion demand from the hackers? We want to hear from you. To contact this reporter securely, reach out via Signal username zackwhittaker.1337.
Bottom Line
Instructure’s decision to pay ShinyHunters, while potentially averting immediate widespread data publication, sets a troubling precedent that could embolden future cyberattacks on the education sector. The incident highlights the precarious balance between protecting user data and adhering to expert advice against ransom payments, leaving thousands of schools and millions of users in a state of uncertainty. Ultimately, this breach underscores the urgent need for enhanced cybersecurity investments, greater transparency from tech providers, and robust accountability mechanisms to safeguard the digital future of education against an increasingly aggressive cyber threat landscape.
Source: {feed_title}