Instructure, the prominent educational technology provider, announced on Monday that it has reached an agreement with an unauthorized threat actor, concluding a tumultuous period marked by two significant security breaches of its widely used Canvas learning management system. The resolution comes just days after cybercriminals, identified as the group ShinyHunters, twice infiltrated Instructure’s network, causing widespread disruptions for educational institutions across the nation. The agreement, which Instructure stated involved the return of stolen data and digital confirmation of its destruction, is viewed by cybersecurity experts as a probable ransomware payment, a practice strongly discouraged by the FBI.
The most recent cyberattack, which occurred on Thursday, led to substantial disruptions for K-12 schools and colleges nationwide. This incident was characterized by the posting of a message by the cyber gang ShinyHunters, visible to some users on their Canvas platforms, offering schools a deadline of Tuesday to negotiate a settlement. This ultimatum mirrored the deadline Instructure itself was reportedly given. Instructure’s statement indicated that as part of its agreement with the unnamed threat actor, all stolen data was returned, and the company received "shred logs" as digital proof of the data’s destruction. The threat actor also reportedly assured Instructure that no customers would be extorted and that individuals affected by the breach would not need to engage directly with them.
"While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," Instructure stated in a public announcement on its website. However, cybersecurity experts and legal proceedings cast a shadow of doubt over the finality and security of such agreements.
The ShinyHunters Breach and the Question of Data Deletion
Rebecca Moody, head of data research at Comparitech, a cybersecurity and online privacy product review website, confirmed that ShinyHunters was the group responsible for the Canvas cyberattacks. The group initially posted details of the first incident on its leak site on May 3. According to Moody’s statement on Tuesday, ShinyHunters claimed to have exfiltrated approximately 3.65 terabytes of data, potentially affecting around 275 million users across 9,000 schools globally. Instructure has not yet officially confirmed the precise number of schools or users impacted by the recent breaches.
"This post and the individual school-by-school threats ShinyHunters has sent likely put pressure on Instructure to meet the ransom demands to try and prevent data from being leaked," Moody explained. "However, let’s not forget that ShinyHunters are cybercriminals. Even by paying this ransom demand, Instructure cannot guarantee the data will be deleted." This sentiment is echoed by legal actions, with several class-action lawsuits already filed against Instructure in federal district courts in the wake of the data breach.
Instructure had previously confirmed that unauthorized access to its systems occurred on April 29 and again on May 7, both instances originating through its Free for Teachers platform. The exposed data reportedly included usernames, email addresses, course names, enrollment information, and messages. The company, however, emphasized that "core learning data (course content, submissions, credentials) was not compromised," and assured users that Canvas is now fully operational and secure.
Michael Klein, senior director for preparedness and response at the Institute for Security and Technology, weighed in on the sensitive issue of ransom payments. He aligned with the FBI’s general stance against paying ransoms, noting that such payments can embolden cybercriminals and do not guarantee data deletion or prevent future attacks. However, Klein acknowledged that in rare circumstances, such as ransomware attacks on critical infrastructure like hospitals where immediate action is required to prevent physical harm, a payment might be deemed necessary. He posited that the data compromised in the Instructure incident does not appear to fall into such a critical category that would necessitate a ransom payment.
"Also, you can’t trust that a cybercriminal group is going to keep their word and not then go and extort all of the people downstream of that anyway," Klein added, highlighting the inherent unreliability of such agreements with criminal entities.
A Chronology of the Instructure Breaches
The security incidents at Instructure unfolded rapidly, creating a climate of urgency and concern for educational institutions. The timeline of events is as follows:
- April 29, 2024: Hackers gain unauthorized access to Instructure’s systems through its Free for Teachers platform. This initial breach, though not immediately publicized in detail, laid the groundwork for subsequent events.
- May 3, 2024: The cybercriminal group ShinyHunters publicly claims responsibility for a data breach, posting details of their activity on their leak site. They assert the exfiltration of a significant volume of data.
- May 7, 2024: A second infiltration of Instructure’s systems occurs, again through the Free for Teachers platform. This second breach amplifies concerns and suggests a persistent threat actor.
- May 9, 2024: News of the second breach surfaces, detailing widespread disruptions for schools and colleges nationwide. A message from ShinyHunters appears on some Canvas platforms, setting a negotiation deadline for affected institutions.
- May 10, 2024: Instructure confirms the data breaches and outlines the types of data compromised. They state that core learning data was not affected and that the platform is secure.
- May 13, 2024: Instructure announces it has reached an agreement with an unnamed threat actor, claiming the return of stolen data and confirmation of its destruction.
The Broader Implications and the Call for Federal Support
The repeated cyberattacks on a critical piece of educational infrastructure like Instructure’s Canvas platform underscore a growing vulnerability within the K-12 and higher education sectors. The incident also brings into sharp focus the perceived decline in federal support for cybersecurity preparedness among educational institutions.
Michael Klein drew a stark comparison between the current situation and a previous incident involving PowerSchool, another major ed-tech provider, which experienced a significant hack in December 2024. At that time, Klein, serving in the U.S. Department of Education as the senior advisor for cybersecurity, was able to convene representatives from 41 states and Guam within days to share information, discuss challenges, and strategize on mitigating the impact.
"Fast forward to the latest cyberattack on Instructure, and that federal authority and structure no longer exists," Klein observed. In his current capacity, he could only gather 22 states for a similar discussion about the Instructure incident following the "widespread and understandable freakout" caused by Thursday’s disruptions. This decline in coordinated federal response, Klein explained, is partly due to the U.S. Department of Homeland Security (DHS) ending the authority of the Critical Infrastructure Partnership Advisory Council, a body that facilitated such inter-state collaborations during the PowerSchool incident. He suggested that a DHS secretary could reinstate this authority without congressional action, enabling swift federal mobilization for future incidents.
Furthermore, Klein advocated for the restoration of funding for the federal Multi-State Information Sharing Analysis Center (MS-ISAC). This initiative would provide school districts and state education agencies with cost-free access to crucial cybersecurity threat intelligence, bolstering their defensive capabilities. "This incident, as well as the PowerSchool incident, demonstrates the importance of support from the federal and state level in order to build capacity for institutions that cannot do this work themselves," Klein emphasized.
In parallel, the Software & Information Industry Association (SIIA) has actively lobbied Congress for increased investment in educational cybersecurity. On Tuesday, the SIIA dispatched letters to lawmakers in both the House and Senate, calling for a $36 million allocation in the Fiscal Year 2027 budget dedicated to enhancing digital security services for schools.
The proposed funding breakdown includes $20 million for MS-ISAC, $10 million for the Readiness and Emergency Management for Schools Technical Assistance Center to re-establish a central hub for cyber-incident management tailored to schools, and an additional $6 million to support the Department of Education’s role in coordinating educational cybersecurity efforts.
"Following the 2025 federal funding shifts that resulted in the ‘offboarding’ of school districts from essential threat monitoring services and the shuttering of key technical assistance centers, America’s K-12 education sector is currently at its most vulnerable state in a decade," stated the SIIA in its letter to the Senate Appropriations Subcommittee on Labor, Health and Human Services, Education, and Related Agencies. This statement highlights a critical juncture where the convergence of increased cyber threats and diminished federal support could leave educational institutions increasingly exposed.
The Instructure breaches serve as a potent reminder of the evolving threat landscape and the critical need for robust cybersecurity infrastructure, ongoing vigilance, and coordinated governmental support to safeguard the digital learning environments of millions of students. The long-term implications of such attacks extend beyond data privacy, potentially impacting the continuity of education and the trust placed in the digital tools that have become integral to modern learning.
