Breaking AI & Tech News Analyzed

After a week‑long outage that crippled Canvas for millions of students worldwide, Instructure announced it had reached an agreement with the ransomware group ShinyHunters. While the company stopped short of confirming a payment, the deal raises fresh questions about the wisdom of paying extortionists to protect sensitive educational data. Instructure’s Agreement with ShinyHunters: What Actually Happened The attack began when the group exploited a vulnerability in Instructure’s “Free for Teacher” software, allowing them to deface login pages at institutions such as the University of Texas San Antonio. ShinyHunters threatened to leak 3.6 TB of data – student IDs, emails, names and messages from 9,000 schools and roughly 275 million students and staff – unless a ransom was paid. Instructure later said the stolen data had been “returned” and that it received “digital confirmation of data destruction” via shred logs, but it did not explicitly confirm a payment. Financial Stakes: Ransom Demands, Potential Payments, and Industry Benchmarks ShinyHunters initially demanded $10 million in ransom. Australian ransomware surveys show the average payment fell to $711,000 in 2025, down from $1.35 million the year before. According to a McGrathNicol report, 64 % of surveyed Australian firms had paid a ransom, and 81 % said they would be willing to do so. As of January 2026, 75 Australian businesses with turnovers of at least $3 million had paid ransoms, though the total amount remains undisclosed. Cyber‑security experts estimate that Instructure’s payout – if any – could be anywhere up to the $10 million demand, potentially reduced through negotiation. Policy and Business Implications: Why Paying Ransom Remains Controversial Governments in the UK, US and Australia advise against paying ransoms, arguing that non‑payment reduces the attractiveness of ransomware as a crime vector. In Australia, paying a designated attacker could breach the autonomous cyber‑sanctions law, exposing firms to prosecution on a case‑by‑case basis. Critics also note that payment does not guarantee data will not be leaked; attackers may still copy or sell the information after receiving money. Experts such as Darren Hopkins (McGrathNicol) and Luke Irwin (Aegis Cybersecurity) stress the “trust factor” – criminals must appear honest to receive payment, yet they remain untrustworthy. This paradox fuels boardroom debates about risk‑driven decision‑making versus investing in prevention and incident response capabilities. Looking Ahead: How Companies May Navigate Future Extortion Threats The Canvas case underscores the need for stronger cyber‑resilience strategies: regular vulnerability patching, robust backup architectures, and clear ransomware response playbooks. Insurers are tightening coverage terms, often requiring demonstrable mitigation measures before honoring ransom claims. Policymakers may also tighten reporting obligations and consider clearer prohibitions on ransom payments, especially for critical‑infrastructure providers like education platforms. Ultimately, firms will have to balance the immediate pressure to restore services against the long‑term cost of incentivising criminal enterprises. As ransomware groups refine their extortion tactics, the industry’s collective stance on paying – or refusing – will shape the next wave of cyber‑crime economics.

Canvas Reaches Agreement with Hackers to Purge Stolen Data Instructure, the parent company of the Canvas learning platform, announced that it has “reached an agreement with the unauthorized actor involved in this incident” to delete the data stolen in last week’s cyberattack that disrupted finals for students worldwide. Scope of the Breach: 9,000 Schools and 275 Million Records Affected 9,000 schools worldwide were threatened with data exposure. 275 million individuals’ personal information, including student IDs, email addresses, names and messages, were compromised. The hacking group ShinyHunters demanded a ransom by 6 May, later extending the deadline. Implications for U.S. Higher‑Education Operations and Cyber‑Risk Management The breach forced many U.S. colleges to lock out users, delay final exams and temporarily take Canvas offline, highlighting the platform’s central role in grading, coursework distribution and communication. Instructure’s chief information security officer Steve Proud confirmed that passwords, dates of birth, government IDs and financial data were not found in the stolen set, but the incident raised concerns about potential future publication of the data. What This Means for Future EdTech Security Strategies Instructure plans to work with “expert vendors” for forensic analysis, system hardening and a comprehensive review of the data involved. The company also received “digital confirmation” in the form of “shred logs” that the hackers destroyed remaining copies, though it acknowledged no absolute certainty of total erasure. Analysts suggest that the episode will push educational institutions to reassess vendor security contracts, invest in multi‑factor authentication and develop incident‑response playbooks tailored to large‑scale data breaches.