The parent company behind Canvas, a widely used learning management platform connecting students with their schools or universities, has struck a deal with the hacking group claiming responsibility for last week’s massive cybersecurity breach.
“Instructure reached an agreement with the unauthorized actor involved in this incident,” the company said in statement posted online late Monday.
As part of the deal, the company said the impacted data was returned and that it had also received digital verification the data was destroyed (via “shred logs”).
Instructure said it received an assurance that none of its customers would be extorted “as a result of this incident, publicly or otherwise” and specified that “there is no need for individual customers to attempt to engage with the unauthorized actor.”
No further details about the deal were disclosed, including whether it involved payment.
A hacker group called ShinyHunters, previously tied to breaches at Ticketmaster and Google’s Salesforce database, quickly claimed responsibility for the cyberattack last week.
The group claimed it had compromised the personal info of 275 million people and had threatened to publicly release the stolen data — full names, email addresses, student numbers and personal messages, according to Instructure — unless paid an undisclosed sum.
In an online message, a ShinyHunters representative told Reuters the “data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.” The rep declined to answer specific questions about the agreement.
At schools and universities, instructors use Canvas to share a wide range of material with students, from course notes to media to exams. They might also use it to communicate and share grades or other updates, while students at some institutions also use the platform to submit their assignments. Canadian users include University of Alberta, University of Toronto and University of British Columbia.
There’s a data breach at Canadian schools. What do we know?
Luke Connolly, an Ottawa-based threat intelligence analyst at cybersecurity firm Emsisoft, discourages paying ransoms after data breaches, which he says sets off a cascade effect.
“It encourages the criminals to continue to look for new victims,” he said in an interview with CBC News. “The payments actually fund their development of new techniques [to exploit others].”
In the case of the early 2025 PowerSchool cyberattack that impacted K-12 school boards across Canada and abroad, an initial ransom demand to the learning management platform’s parent company was followed by extortion demands at individual school boards mere months later.
David Shipley, CEO of Fredericton-based Beauceron Security, expressed sympathy for those facing the “awful choice” of paying a ransom after a cybersecurity breach, but he also strongly discourages payment.
While Instructure is a victim in this case, Shipley told CBC News, “at the end of the day, they were the custodians for this data and they have that responsibility to protect it.”
Caught in a data breach? 3 tips for what to do next
Instructure itself acknowledged the continued uncertainty of the ongoing, “unsettling situation” and said protecting its community of users remains its top priority.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Instructure said.
The company says forensic analysis of the breach is ongoing by experts, and it vowed to continue with regular updates about their findings.
