Cybersecurity, Education, Technology

Canvas hack raises questions about paying ransom and data outcomes

Photo of author

By Grace Mitchell

Canvas hack raises questions about paying ransom and data outcomes

Canvas ransomware attack raises concerns over ransom payments and data security

The recent ransomware attack on Instructure, the US company behind the widely used education platform Canvas, has reignited debate over whether companies should pay ransoms to cybercriminals. The attack disrupted services for millions of students and staff worldwide, exposing sensitive data and delaying academic activities. Instructure announced it had “reached an agreement with the unauthorised actor,” a phrase experts interpret as an indication that a ransom may have been paid, though the company has not confirmed this.

Key developments in the Canvas hack

  • The hacking group ShinyHunters claimed responsibility for the attack, threatening to leak 3.6TB of data including student ID numbers, email addresses, names, and messages from 9,000 schools and 275 million users globally.
  • Instructure confirmed the hackers exploited a vulnerability in its Free for Teacher software, allowing them to deface login pages and alert users to the breach.
  • As part of the agreement with the hackers, Instructure stated the stolen data was “returned” and that it received “digital confirmation of data destruction” via shred logs, though complete certainty cannot be guaranteed when dealing with cybercriminals.
  • Australian universities and schools, including RMIT and UTS, were among the victims, with some granting assignment extensions due to the platform outages.

Why this matters

The Canvas attack highlights the difficult decisions organisations face when targeted by ransomware. Governments in the UK, US, and Australia advise against paying ransoms, warning that such payments may fund further criminal activity and do not guarantee data protection or threat cessation. However, many businesses still choose to pay to protect user privacy and limit damage.

In Australia, paying a ransom to a sanctioned attacker could be a criminal offence, though payments are reviewed individually. Since mandatory reporting began in 2025, at least 75 Australian businesses have reported paying ransoms, with average payments decreasing but a majority of companies still willing to pay if attacked.

Expert perspectives on ransom payments and hacker trustworthiness

Cybersecurity experts note that ransomware groups like ShinyHunters rely on maintaining a reputation for “honesty” to encourage victims to pay. While they may provide evidence of data deletion, there is no way to fully verify these claims, leaving organisations to make risk-based decisions.

Darren Hopkins from McGrathNicol describes the Canvas statement as carefully worded to imply an agreement without admitting to ransom payment. He emphasizes that businesses increasingly prepare for attacks to avoid paying to regain system access, focusing instead on preventing further data exposure.

Luke Irwin of Aegis Cybersecurity estimates ransom demands can reach up to US$10 million, though negotiations may reduce this amount. He stresses that dealing with criminal organisations involves inherent risks and uncertainty.

Ongoing challenges for organisations facing ransomware

The Canvas incident underscores the complex balance between mitigating harm and adhering to legal and ethical guidelines. While paying ransoms may sometimes appear to be the quickest way to protect data and restore services, it can also encourage further attacks and does not guarantee full resolution.

Businesses must weigh the risks of trusting cybercriminals against the potential consequences of prolonged data exposure and operational disruption. The attack also highlights the importance of robust cybersecurity measures and rapid response strategies to reduce vulnerability to such threats.

Recommended reading

For more context, see related Peack News coverage and explainers linked below.

Editor's note

This briefing highlights the confirmed breach or threat first, then adds context on who may be affected and what happens next. This page also reflects material updates made after publication.

Story details

Key developments

  • The recent ransomware attack on Instructure, the US company behind the widely used education platform Canvas, has reignited debate over whether companies should pay ransoms to cybercriminals.
  • Instructure announced it had “reached an agreement with the unauthorised actor,” a phrase experts interpret as an indication that a ransom may have been paid, though the company has not confirmed this.
  • The Canvas attack highlights the difficult decisions organisations face when targeted by ransomware.

Why this matters

The attack disrupted services for millions of students and staff worldwide, exposing sensitive data and delaying academic activities.

Impact and next steps

In Australia, paying a ransom to a sanctioned attacker could be a criminal offence, though payments are reviewed individually.

Background

Since mandatory reporting began in 2025, at least 75 Australian businesses have reported paying ransoms, with average payments decreasing but a majority of companies still willing to pay if attacked.

Source

This article is based on reporting from theguardian.com.

Related topics

CybercrimeData BreachPrivacy

Recommended analysis

Related coverage

About the author

Grace Mitchell

Grace Mitchell covers AI policy, cybersecurity, technology business and world affairs for Peack News. Her work focuses on regulation, platform power, digital risk and the political decisions that shape companies, institutions and everyday users.

Expertise focus: AI policy, cybersecurity, technology business and world politics

Areas covered: AI, Cybersecurity, Technology Business, World Politics

editorial@peacknews.com

30 UK holiday cottages featuring pools, stunning views, and unique design

Foreign tourists are losing interest in Goa – here is the reason