Instructure Pays Hackers to Delete Canvas Breach Data After Attack on 9,000 Schools

The company behind the Canvas learning software paid hackers not to release stolen data online after a breach last week disrupted thousands of universities and colleges.

The cyberattack hit an estimated 9,000 institutions in the United States, Canada, Australia and the United Kingdom. Exams ground to a halt when the Canvas service went offline.

Hackers threatened to post 3.5 terabytes of student and university data taken in the breach.

Instructure, Canvas's maker, confirmed it reached an agreement with the hackers. The group said it deleted the data and promised not to extort students or institutions.

Law enforcement agencies worldwide advise against paying cybercriminals. Such payments encourage more attacks and provide no assurance that data has been destroyed.

Criminals have taken ransoms in past cases but kept data for resale. When Britain's National Crime Agency hacked the LockBit ransomware group, officers found undeleted stolen data despite payments.

Instructure cited protection of students' and education staff data as its main reason. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said in a website statement.

The firm did not detail the agreement terms but said it ensured the data was returned, provided digital confirmation of destruction, informed Instructure that no customers would face extortion from the incident, and covered all affected customers without individual negotiations.

The breach surfaced on April 29 and was claimed by the Shiny Hunters extortion group.

Neither side explicitly confirmed a money exchange. Groups like Shiny Hunters typically demand bitcoin payments after encrypted chat negotiations.

Victims rarely admit publicly to paying hackers, but Instructure has issued regular website updates. The attack's high visibility, which hit students directly, may explain the transparency.

Students taking exams in the United States suffered most. They lost access to Canvas for study and saw some online tests interrupted.

Aubrey Palmer, a meteorology student at Mississippi State University, told the BBC that he and other students had just completed a 2,900-word exam essay when a ransom message appeared on screens. The note read: "Shiny Hunters has breached Instructure (again)." It threatened data release unless Canvas or universities paid bitcoin.

"My knee-jerk reaction was that I'd been hacked myself, because that's what it looked like," Palmer said. "But then I actually read the ransom note and saw it was Canvas that had been hacked."

Palmer said his professor and dozens of students got the message, sparking confusion over whether work was saved.

Mississippi State University postponed some exams so students could recover lost work.

Shiny Hunters hacks organizations, steals data and pressures victims publicly for bitcoin ransoms. The English-speaking group, believed to consist of young criminals, has hit Jaguar Land Rover and Gucci.

In Telegram messages to the BBC, Shiny Hunters claimed prior hacks of Canvas before last Thursday's attack.