Instructure, the company behind Canvas learning management software, reached an agreement with hackers who breached its systems and stole data from thousands of college and university students. The company paid the criminals to delete the stolen information, according to reporting on the incident.
Canvas serves as the primary digital hub for coursework, grades, and student communication at major institutions worldwide. The breach exposed sensitive personal data including names, email addresses, and academic records across multiple universities.
Instructure confirmed it negotiated with the threat actors responsible for the hack. The company did not disclose the payment amount, but stated that hackers agreed to delete the stolen dataset as part of the settlement. This approach, while controversial, reflects a practical reality many companies face when confronting ransomware operators who threaten to sell or publish compromised data on the dark web.
The breach initially surfaced when hackers demanded payment and threatened to release student records publicly. Educational institutions relying on Canvas faced pressure to address the vulnerability and protect student privacy. Instructure patched the security flaw and worked to notify affected institutions about the incident.
Paying ransoms remains contested in cybersecurity circles. Law enforcement agencies discourage ransom payments, arguing they fund criminal operations and incentivize future attacks. However, companies often calculate that negotiated deletion costs less than potential legal liability, regulatory fines, and reputational damage from public data leaks.
For Canvas users, the agreement represents a resolution, though questions persist about whether all stolen data was actually deleted. The incident highlights the ongoing vulnerability of EdTech platforms handling millions of students' personal information. Instructure committed to security improvements following the breach.