Instructure says hackers agreed to delete stolen Canvas data; experts caution deal may not end threat

Instructure, the parent company of Canvas, said Monday it reached an agreement with hackers to delete the data they stole in a cyberattack that created chaos for students during finals. The company, in an online post, said it had “reached an agreement with the unauthorized actor involved in this incident,” but provided no details on whether it involved a ransom payment.

The hacking group ShinyHunters claimed responsibility for the breach, which occurred last week and locked students and faculty out of the platform. The group threatened to leak data involving nearly 9,000 schools worldwide and 275 million individuals unless schools paid a ransom by May 6. After extending the deadline, the group indicated some schools had engaged with them to negotiate.

As part of the deal, Instructure said the data was returned and that it received “digital confirmation” in the form of “shred logs” that the hackers destroyed any remaining copies. The company acknowledged, however, that there was no way to be sure the data was erased for good.

“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Instructure said in a statement.

Cybersecurity experts were skeptical that the deal would end the threat. Cynthia Kaiser, a former deputy director of the FBI’s Cyber Division and now senior vice president of the Halcyon Ransomware Research Center, said the reported agreement suggested a ransom was likely paid.

“What victims must understand is that payment does not end the threat,” Kaiser said in a written statement. “Stolen data will be used against clients and users for as long as it remains profitable to do so.”

The breach appeared to involve student ID numbers, email addresses, names and messages on the Canvas platform, Instructure’s chief information security officer, Steve Proud, said earlier this month. The company found no evidence that passwords, dates of birth, government identification or financial information were compromised.

The data theft added to scrutiny of Instructure’s security posture. A lawsuit filed last week in federal court in Utah alleged the company did not do enough to protect the platform used by millions of students, making it “easy prey for cybercriminals.” ShinyHunters was also behind a smaller breach of Instructure last year, the lawsuit noted.

Canvas serves as the digital backbone of instruction at many schools and universities, acting as a gradebook, a hub for digital lectures and course materials, a discussion board, and a messaging platform. Some courses also use it to administer quizzes and exams, or as a portal for submitting final projects and papers on deadline.

The outage last week caused panic among students and faculty, who were suddenly locked out of a system they rely on to manage grades and access learning materials. Instructure said it is working with “expert vendors” to perform a forensic analysis, further harden its systems, and conduct a comprehensive review of the data involved.