Canvas Maker Instructure Pays Hackers to Protect Student Data—But Experts Say Risks Run Deeper Than One Ransom
What Paying Ransom Could Mean Moving Forward

Instructure, the company behind Canvas, has confirmed it paid hackers to delete stolen data and refrain from targeting students and institutions. Canvas is the cloud-based learning management system used by thousands of universities and colleges across various countries, including the Philippines in Southeast Asia.
The Instructure admission, unusual in its transparency, marks the conclusion of one of the most disruptive cyberattacks on the education sector in recent memory. But cybersecurity experts warn the ransomware payment resolves only the immediate crisis, not the structural vulnerability that made the attack possible in the first place.
The breach was discovered on 29 April 2026 and claimed by Shiny Hunters, a prolific extortion group with a long history of high-profile attacks. The hackers compromised the Canvas platform and stole an estimated 3.5 terabytes of student and university data, threatening to publish it unless a ransom was paid in bitcoin. The attack took Canvas offline, disrupting an estimated 9,000 institutions across the United States, Canada, Australia, the United Kingdom, and the Philippines. Exams were interrupted. Students lost access to course materials during revision periods. In some cases, online assessments were compromised mid-session.
The Moment a Ransom Note Appeared During an Exam
Aubrey Palmer, a meteorology student at Mississippi State University, was among the students most viscerally affected. They had just finished writing a 2,900-word exam essay when the screen changed.
“My knee-jerk reaction was that I’d been hacked myself, because that’s what it looked like,” Palmer told the BBC. “But then I actually read the ransom note and saw it was Canvas that had been hacked.”
The note read: “Shiny Hunters has breached Instructure (again).” It threatened to release stolen data unless a ransom was paid by Canvas or affiliated universities. Palmer’s professor and dozens of fellow students received the same message simultaneously. Confusion spread through the exam room about whether work had been saved. Mississippi State University later announced that some exams would be postponed to allow students to recover any lost work.
It was not an isolated incident. Across all affected institutions, the sudden loss of platform access—and the appearance of a ransom demand—created the kind of institutional disruption that takes days or weeks to fully assess.

What Instructure Confirmed—and What It Did Not
Instructure has maintained an unusually high level of public transparency throughout the incident, providing regular updates on its website. In its most recent statement, the company confirmed it had “reached an agreement” with the hackers covering four specific outcomes:
- The data was returned to Instructure
- The company received digital confirmation of data destruction.
- It was informed that no Instructure customers would be extorted as a result of the incident
- The agreement covers all affected customers, with no requirement for individuals to negotiate with the attackers directly.
Neither Instructure nor the Shiny Hunters group explicitly confirmed that money changed hands—but the operational model of groups like Shiny Hunters depends entirely on bitcoin ransom payments negotiated through encrypted chat services. Instructure offered its own explanation for why it acted.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Instructure said.
That reasoning is understandable. It is also contested by virtually every law enforcement agency that advises on cybercrime.
Why Paying Ransoms Is So Problematic
Paying cyber criminals goes against the official guidance of law enforcement agencies across the United States, United Kingdom, Canada, and Australia—the four countries whose institutions were most affected by this attack. The core arguments against payment are well-documented and consistent: it funds further attacks, it creates incentives for more extortion, and it offers no guarantee that stolen data has actually been destroyed.
The last point is not theoretical. When the National Crime Agency compromised the notorious LockBit ransomware group’s infrastructure, investigators found that stolen data had not been deleted even in cases where victims had made ransom payments. Criminals accepted the money and kept the data anyway—for resale, for future leverage, or for both. There is no contractual enforcement mechanism that compels a criminal group to honour its side of an agreement. “Digital confirmation of data destruction” is only as reliable as the honesty of the party providing it.
What This Attack Reveals About SaaS Risk
The Canvas breach is not primarily a story about one company’s security failure. It is a story about how organisations—universities, colleges, and businesses alike—think about data responsibility when they migrate critical services to the cloud.
Dave Russell, SVP and Head of Strategy at Veeam Software, framed the structural issue directly: “Moving to SaaS doesn’t eliminate risk—it changes it. Even when the provider secures the platform, it’s still your data and still your responsibility to ensure it is protected, retained, and recoverable. SaaS is an attack surface, and resilience planning has to assume critical services can become unavailable or untrusted with little notice. The most pragmatic step organizations can take is to apply consistent data hygiene everywhere—on‑premises, cloud, and SaaS—and maintain independent, recoverable copies of mission‑critical data so recovery happens on your timeline, not the attacker’s.”
Rick Vanover, VP of Product Strategy at Veeam Software, put the point in starker terms: “SaaS can feel like ‘set it and forget it’ until it’s suddenly ‘set it and regret it.’ The shared responsibility model is the fine print nobody reads until an incident forces the issue: the provider runs the service, but you own the outcome—including getting your data back and keeping the business running. Treat SaaS like any other production system: lock down identity, know where the data is, keep it clean, and make sure you have a recovery plan that doesn’t depend on the same platform that’s having a bad day. If ransomware loves anything, it’s single points of failure, so don’t give it one.”
The 9,000 institutions or so affected by the Canvas outage were operating on the assumption that Instructure’s security posture was their primary line of defence. When that line was breached, many had no independent recovery mechanism—no offline copy of critical exam data, no contingency plan that did not route through the same compromised platform.



