Canvas hack: Company strikes deal with hackers after massive cyber breach hits universities

Instructure, the company behind the widely used learning management platform Canvas, announced late Monday it had struck a deal with the hackers responsible for a massive cyber breach that exposed data from 275 million users. The affected data included full names, email addresses, student numbers, and personal messages, according to Instructure’s statement. The company confirmed the data was returned and digitally verified as destroyed, with assurances that no further extortion attempts would be made against its customers. The hacking group ShinyHunters claimed responsibility for the breach, which targeted universities and schools using Canvas, including Canadian institutions like the University of Alberta, University of Toronto, and University of British Columbia. The group had previously been linked to breaches at Ticketmaster and Google’s Salesforce database. Instructure stated there was no need for individual schools to contact the hackers, as the company had handled the situation directly. While details of the agreement remain undisclosed, including whether a payment was made, ShinyHunters confirmed in a message to Reuters that the data was deleted and no further targeting would occur. The group declined to provide specifics about the deal. Cybersecurity experts, including Luke Connolly of Emsisoft, warned that paying ransoms often encourages further criminal activity, citing past incidents like the PowerSchool cyberattack, which led to additional extortion demands at individual school boards. Instructure acknowledged the ongoing uncertainty but emphasized that protecting its user community remained its top priority. The breach highlights the risks faced by educational institutions relying on digital platforms for sensitive student data. Experts like David Shipley of Beauceron Security cautioned that while victims may feel pressured to pay ransoms, doing so only perpetuates the cycle of cybercrime.