The company behind the widely used Canvas learning management system has confirmed it paid cybercriminals to delete stolen student data following a major breach that disrupted operations at thousands of universities and colleges worldwide.
The cyberattack, which came to light last week, affected an estimated 9,000 institutions across the United States, Canada, Australia, and the United Kingdom. The incident caused significant disruption, with many exams interrupted or canceled after the Canvas service went offline. The hackers threatened to publish 3.5 terabytes of sensitive student and university data they had exfiltrated during the breach.
Instructure, the maker of Canvas, has now acknowledged that it “reached an agreement” with the perpetrators. According to the company, the hackers have deleted the stolen data and promised not to extort any students or institutions. However, paying cybercriminals contradicts the advice of law enforcement agencies globally, as it may encourage further attacks and offers no guarantee that the data has been truly destroyed.
In previous incidents, criminals have accepted ransom payments but lied about deleting stolen information, instead retaining it for resale. For instance, when the notorious LockBit ransomware group was hacked by the UK’s National Crime Agency, authorities discovered that stolen data had not been deleted even after payments had been made.
In a statement on its website, Instructure said that protecting the data of students and educational staff was its primary motivation. “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company stated.
Instructure did not disclose the financial terms of the agreement but explained what the deal entailed: the data was returned to the company, it received “digital confirmation of data destruction,” it was informed that no Instructure customers would be extorted as a result of the incident, and the agreement covers all affected customers, meaning no individuals need to engage with the hackers.
The breach was discovered on April 29 and was claimed online by the prolific Shiny Hunters extortion group. Neither the hackers nor the company have explicitly stated that money changed hands, but cyber extortion groups like Shiny Hunters typically operate by forcing victims to send bitcoin after negotiations conducted through encrypted chat services.
It is unusual for victims of cyberattacks to publicly acknowledge paying hackers, but Instructure has maintained a high level of transparency, providing regular updates on its website. That openness may be partly because the attack was highly visible and directly affected students. Students sitting exams in the United States were particularly badly impacted, losing access to Canvas for revision and, in some cases, having online exams interrupted.
Aubrey Palmer, a meteorology student at Mississippi State University, told the BBC that they and other students had just finished writing a 2,900-word exam essay when a ransom message suddenly appeared on their screens.
