Deal reached with hackers to delete data stolen from the Canvas
educational platform
[May 13, 2026]
By KELVIN CHAN
The company that operates online learning system Canvas said it struck a
deal with hackers to delete the data they pilfered in a cyberattack that
created chaos for students, many of them in the middle of finals.
Instructure, the parent company of Canvas, said in an online post that
it “reached an agreement with the unauthorized actor involved in this
incident.”
The company didn’t provide any details on the agreement, including
whether it involved a payment, and didn’t elaborate who was behind the
hack. Instructure temporarily took the system offline while it
investigated, locking out students and faculty.
A hacking group named ShinyHunters claimed responsibility for last
week's breach, threatening to leak data involving nearly 9,000 schools
worldwide and 275 million individuals if schools did not pay a ransom by
May 6. The group then extended the deadline, indicating some schools had
engaged with them to negotiate.
ShinyHunters also was behind a smaller breach of Infrastructure last
year. A lawsuit filed last week in federal court in Utah alleged
Instructure did not do enough to protect the platform used by millions
of students and made itself “easy prey for cybercriminals.”
As part of the deal, the data was returned to Instructure. The company
said Monday that it also received “digital confirmation" that the
hackers destroyed any remaining copies, in the form of "shred logs.”
The company acknowledged that there was no way to be sure that the data
was erased for good, and said it took action because of concerns about
potential publication of the data.
“While there is never complete certainty when dealing with
cybercriminals, we believe it was important to take every step within
our control to give customers additional peace of mind, to the extent
possible,” Instructure said.
Cybersecurity experts were skeptical it was the end of the attack.
Cynthia Kaiser, a former deputy director of the FBI’s Cyber Division,
said the reported deal suggests that a ransom was likely paid.
[to top of second column]
|
An image of a notice sent by Georgia Tech's information technology
department warning students, professors and staff about the
cybersecurity breach of the Canvas system it uses for assignments
and grading is displayed on a phone, Friday, May 8, 2026, in
Decatur, Georgia. (AP Photo/Michael Warren)
“What victims must understand is that payment does not end the
threat,” Kaiser, now the senior vice president of the Halcyon
Ransomware Research Center, said in a written statement. "Stolen
data will be used against clients and users for as long as it
remains profitable to do so.”
The data breach appeared to involve student ID numbers, email
addresses, names and messages on the Canvas platform, Instructure’s
chief information security officer, Steve Proud, said earlier this
month. The company found no evidence that passwords, dates of birth,
government identification or financial information were compromised,
it said.
The company said it was working with "expert vendors" to do a
forensic analysis, “further harden” its systems, and carry out a
“comprehensive review of the data involved.”
The disruption caused panic last week among students and faculty
members when they were locked out of a platform they rely on to
manage grades and access course notes and assignments.
Schools and universities use Canvas to manage nearly all aspects of
instruction. The platform acts as a gradebook, a hub for digital
lectures and course materials, a discussion board for classroom
projects, and a messaging platform between students and instructors.
Some courses also give quizzes and exams on the platform, or use it
as a portal where final projects and papers are submitted on
deadline.
___
Heather Hollingsworth contributed to this report.
All contents © copyright 2026 Associated Press. All rights reserved |
