Canvas hack: Company pays criminals to delete students' stolen data

Canvas, the learning management platform used by thousands of educational institutions worldwide, has reached a settlement with the cybercriminals responsible for a massive data breach affecting students across North America and beyond.

The company confirmed it negotiated directly with the threat actors who infiltrated its systems and stole sensitive student information. Terms of the agreement include payment to the hackers in exchange for deletion of the stolen data and assurances they will not release it publicly or sell it on the dark web.

This approach, while controversial, reflects a growing trend among companies facing ransomware and data theft operations. Canvas prioritized preventing the exposure of millions of student records over pursuing traditional law enforcement channels. The breach compromised personal identifying information, academic records, and potentially financial data tied to student accounts across numerous universities.

Canvas parent company Instructure has not disclosed the exact payment amount, though industry sources suggest settlements of this scale typically run into six figures. The company faces scrutiny from privacy advocates and lawmakers who argue that paying ransoms incentivizes further criminal activity and violates guidance from the FBI and Department of Justice.

Universities relying on Canvas scrambled to notify affected students and implement additional security protocols. Many institutions began evaluating alternative platforms or demanding enhanced security commitments from Instructure.

The incident underscores persistent vulnerabilities in edtech infrastructure handling sensitive data on minors and young adults. Canvas hosts academic information for millions of users globally, making it a lucrative target for sophisticated threat groups. Instructure has pledged to conduct a full security audit and implement stronger encryption standards moving forward.

The settlement represents a temporary resolution, but broader questions persist about whether negotiating with cybercriminals creates perverse incentives in an already volatile threat landscape targeting educational systems.