Education platform Canvas pays ransoms to get stolen personal data back! Cybersecurity expert warns: may encourage criminal activity

A well-known education platform, Canvas, was recently hit by a hacker attack, causing operations to come to a standstill at thousands of colleges and universities worldwide. Its parent company, Instructure, in order to prevent up to 3.5 TB of students’ and teachers’ data from being exposed, has announced and confirmed that it reached an agreement with the hackers and paid a ransom. The incident directly affected students’ online exams, and once again sparked heated debate in the market over whether companies compromise when facing cybersecurity ransomware attacks.

Parent company willing to pay ransom to Instructure in exchange for the destruction of 3.5TB of data

This large-scale cybersecurity incident affected about 9,000 educational institutions in the United States, Canada, Australia, and the United Kingdom, among other places. During the Canvas cloud service downtime, many schools’ daily operations and end-of-term exams were forced to be interrupted. Canvas developer Instructure confirmed that it reached an agreement with the hackers to prevent 3.5 TB of stolen data from being published online. In its statement, the company said the hackers returned the data, provided digital proof of data destruction (Shred logs), and promised not to extort any students or institutions. While the official did not clearly disclose the transaction amount, ransomware groups typically negotiate via encrypted chat services and demand that victims pay in Bitcoin.

Global law enforcement: Paying ransom may not ensure data safety

Cybersecurity experts warn that compromising with online criminals not only fuels future attacks, but also provides no guarantee that the data will truly be deleted. There have been many recorded cases in the past where hackers broke their promises after receiving the ransom. For example, when international police seized the notorious ransomware group LockBit, it was found that stolen data from many victims who had paid ransoms had not been destroyed, but was instead kept by the hackers for later resale.

The hackers’ ransom message hits the exam screen directly, forcing students’ tests to be interrupted

Because the attack directly affected how teachers and students used the education system, Instructure was forced to report the case’s progress to the public. Some students in the United States reported that during online exams, a ransomware message from the hacker group suddenly appeared on the computer screen. Students at Mississippi State University said that while they were about to complete a long exam, the screen was overlaid with the text “Shiny Hunters has (again) compromised Instructure,” and threatened that their data would be released if Bitcoin was not paid. The sudden situation threw the testing room into chaos, and the school later had to announce a postponement of some exams, giving students time to restore any lost answers.

Official update: Core data remains safe, and a briefing will be held on May 13

According to Instructure’s incident update, the stolen data in this hack included fields such as usernames, email addresses, course names, registration information, and communications. However, “core learning data” (such as course content, assignment submission records, certificates, etc.) was not compromised. The company also found that support services in a “free teacher” environment had a vulnerability that was exploited by the hackers; it has temporarily shut down the service while conducting a comprehensive security review.

International hacker group Shiny Hunters repeatedly reoffends and refuses to respond to moral questions

According to BBC reporting, the organization claiming responsibility is “Shiny Hunters.” The group is known for stealing corporate data and using public pressure to extort Bitcoin. It has previously been linked to data breach incidents involving well-known companies such as Jaguar Land Rover and Gucci. It is understood that the group members are native English speakers and relatively young. In encrypted chats with the media, Shiny Hunters revealed that before this attack they had successfully hacked the Canvas system twice (in September 2025 and April 2026, respectively). When asked about the psychological pressure and exam disruption caused to students, the group responded coldly only: “We have nothing to comment on this.”

This article: Education platform Canvas pays ransom to get stolen personal data back destroyed! Cybersecurity experts worry: may help fuel criminal activity — first appeared on Chain News ABMedia.