A major cyberattack hit the Canvas learning platform last week. The attack disrupted operations at about 9,000 universities and colleges across the United States, Canada, Australia, and the United Kingdom.
Exams and academic activities faced interruptions when the system went offline. Hackers claimed they had stolen around 3.5 terabytes of student and institutional data during the breach.
The cyber extortion group known as Shiny Hunters later took responsibility for the attack.
Company Response and Agreement With Hackers
Instructure, the company behind Canvas, confirmed that it reached an agreement with the attackers. The company said the goal was to reduce harm and protect students and staff.
According to Instructure, the outcome included several key points:
- The stolen data was returned to the company
- The hackers provided confirmation that the data was deleted
- The group agreed not to extort students or institutions
- The agreement covered all affected customers, so individuals did not need to take action
The company did not clearly confirm whether money changed hands. However, such negotiations often involve digital payments in cryptocurrency.
Security Concerns and Expert Warnings
Cybersecurity experts and law enforcement agencies generally advise against paying cyber criminals. They warn that payments can encourage more attacks in the future.
There is also no strong guarantee that stolen data is fully deleted after such agreements. Criminal groups can keep copies and use them later.
Past incidents support this concern. In one case involving the LockBit ransomware group, investigators found that stolen data still existed even after ransom payments were made.
Company Statement on the Decision
Instructure stated that protecting users remained its top priority. The company explained that it took all possible steps to reduce risk and give customers peace of mind.
It also acknowledged that absolute certainty is not possible when dealing with cyber criminals. Still, it believed the agreement helped limit further harm.
How the Attack Unfolded
The breach was first detected on 29 April. Soon after, hackers publicly claimed responsibility and threatened to release the stolen data if demands were not met.
The group attempted to pressure the company through encrypted communication channels, a common method used in cyber extortion cases.
