Canvas users were locked out during finals last week after a cyberattack disrupted the platform that many U.S. schools and universities use for grades and course materials, and Instructure said Tuesday it has since reached an agreement with the hackers behind the breach. In a post, the company said the deal centered on deleting the data the attackers stole, though Instructure did not say whether money changed hands or identify who carried out the intrusion.
Instructure said it received “digital confirmation” from the unauthorized actor that any remaining copies of the data had been destroyed, describing the confirmation as “shred logs.” The company also said it received the data back, and it said its decision reflected concerns that the stolen information could be published.
Instructure acknowledged that it could not have full assurance the information was erased beyond the point of the hackers’ reported actions. “While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company said.
The dispute traces back to a last week’s breach in which ShinyHunters claimed responsibility and threatened to leak data involving nearly 9,000 schools worldwide and 275 million individuals unless schools paid a ransom by May 6. ShinyHunters later extended that deadline, indicating some schools had engaged with the group to negotiate.
Instructure temporarily took the Canvas system offline while it investigated the cyberattack, blocking access for students and faculty who rely on the platform to manage grades, view course notes and assignments, and communicate inside classes. Some courses also use Canvas for quizzes and exams or as a submission portal for final projects and papers.
The company said the breach involved student ID numbers, email addresses, names and messages on the Canvas platform, while it found no evidence that passwords, dates of birth, government identification or financial information were compromised. Instructure said it was working with “expert vendors” to perform a forensic analysis, “further harden” its systems and carry out a “comprehensive review of the data involved.”
Cybersecurity experts were not convinced the deal ended the incident. Cynthia Kaiser, a former deputy director of the FBI’s Cyber Division and now the senior vice president of the Halcyon Ransomware Research Center, said the reported agreement suggests a ransom was likely paid. “What victims must understand is that payment does not end the threat,” Kaiser said in a written statement. “Stolen data will be used against clients and users for as long as it remains profitable to do so.”
Kaiser’s warning came amid legal pressure on Instructure. A lawsuit filed last week in federal court in Utah alleged that Instructure did not do enough to protect the platform used by millions of students and made Canvas “easy prey for cybercriminals.” The hacking group ShinyHunters also was linked to a smaller Infrastructure breach last year, according to the report.
Instructure’s account does not include additional details about the agreement, including whether it involved a payment or who was behind the hack. The company said it received “shred logs” as part of the arrangement but also said there is no complete certainty in dealing with cybercriminals.