Canvas Paid Hackers to Delete 275 Million Stolen Student Records. Experts Say That's No Guarantee.

On May 11, 2026, Instructure — the company that operates Canvas, the learning management system used by 41% of U.S. higher education institutions — reached what it called an "agreement" with the hacking group ShinyHunters [1]. In exchange for an undisclosed sum, Instructure said it received its stolen data back, along with "digital confirmation of data destruction" [2]. The breach, which hit during finals week and forced Canvas offline twice in ten days, exposed approximately 275 million records across 8,809 institutions in 50 countries [3][4].

The deal raises a question that cybersecurity experts, legal scholars, and federal investigators have grappled with for years: when a company pays criminals to delete stolen data, does the data actually get deleted?

What Was Stolen

ShinyHunters, a decentralized cybercriminal group affiliated with the broader network known as "The Com," claimed to have exfiltrated 3.65 terabytes of data [5]. The stolen records included student and staff names, email addresses, student ID numbers, course names, enrollment information, and billions of private messages exchanged between students and educators [3][6].

Instructure stated that passwords, dates of birth, government identifiers such as Social Security numbers, and financial information were not compromised [7]. But security researchers have pointed out that the private messages alone — spanning years of student-teacher communication — are likely to contain sensitive content including medical accommodation requests, private advisor conversations, and personal disclosures that students never expected would be read by anyone outside their institution [5][8].

The breach affected all eight Ivy League universities, 1,616 K-12 school districts, and major institutions including Duke, Stanford, Oxford, and Cambridge [4][9]. Rutgers University, the University of California system, and UMass Amherst were among the schools that issued alerts to their communities [10].

How It Happened — Twice

The initial intrusion exploited a vulnerability in Instructure's Free-For-Teacher accounts, a complimentary Canvas tier designed for individual educators [5][11]. ShinyHunters used this access point to reach backend systems and exfiltrate data at scale.

Instructure detected unauthorized activity on April 29 and said it revoked access, rotated application keys, and engaged external forensic partners [7]. By May 1, the company had publicly confirmed the compromise and shut down Canvas Data 2 and Canvas Beta [7]. Canvas was restored by May 5.

Then, on May 7, ShinyHunters breached Instructure a second time [12]. The hackers defaced login pages at approximately 330 institutions with ransom messages, forcing Canvas offline again [3][13]. The second breach — occurring just two days after the platform had been restored — raised immediate questions about whether Instructure had adequately remediated the initial vulnerability.

Representative Andrew Garbarino, chairman of the House Homeland Security Committee, requested a briefing by May 21, stating: "The recurrence of an intrusion within days of an initial breach disclosure, and Instructure's apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company's incident response capabilities" [14].

The Payment

Instructure CEO Steve Daly confirmed the company had reached an "agreement" with ShinyHunters on May 11, one day before the hackers' stated deadline [1][2]. The company did not use the word "ransom" and did not disclose the dollar amount [15].

In exchange, Instructure said it received the stolen data returned to the company, "shred logs" as digital confirmation of data destruction, and an assurance that "no Instructure customers will be extorted as a result of this incident" [2][7].

The payment mechanism — whether cryptocurrency, direct transfer, or intermediary — has not been disclosed. The average ransom demand in the education sector was $464,000 in 2025, down from $694,000 the year prior, though the Canvas breach was far larger than a typical incident [16].

In a public apology, Daly acknowledged communication failures: "We focused on fact-finding and went quiet when you needed consistent updates. You deserved more consistent communication from us, and we didn't deliver it" [7].

Why Experts Are Skeptical

The central problem with paying for data deletion is straightforward: there is no way to verify that criminals who stole data have actually destroyed all copies.

Cliff Steinhauer, Director of Information Security at the National Cybersecurity Alliance, warned that such payments "can create a dangerous feedback loop" and signal that targeting education platforms "can be profitable." He added: "There is no reliable way to verify those claims," and "data is often retained, resold, or used in future extortion attempts" [17].

Allison Nixon, a security researcher at Unit 221B who has tracked ShinyHunters extensively, was more direct: "They are claiming they will delete the data after they are paid... This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past" [5].

The FBI has long maintained that it "does not support paying a ransom in response to a ransomware attack" [18]. Security journalist Brian Krebs has documented multiple cases where criminal groups collected payment for data deletion and then resold or re-used the data regardless [19].

Instructure's own evidence of deletion — "shred logs" — amounts to documentation provided by the attackers themselves. No independent third-party verification of data destruction has been announced.

Trend Micro, which designated the threat actor "SHADOW-AETHER-015," assessed ShinyHunters as having "medium-to-high capability" and noted the group's history of breaches at Salesforce, Snowflake, Udemy, and 7-Eleven [11]. Notably, ShinyHunters simultaneously breached video platform Vimeo through a supply chain attack on analytics partner Anodot; Vimeo refused to pay [5].

The Case for Paying

Despite the skepticism, some incident-response professionals argue that paying for data deletion — while far from ideal — can be a rational harm-reduction strategy when weighed against the alternatives.

The calculus is grimly practical. Notification costs alone for 275 million affected individuals could run into tens of millions of dollars. Class-action litigation following breaches of this scale routinely produces settlements in the hundreds of millions. The reputational damage to a company whose entire business depends on institutional trust in data security could be existential [20].

Cynthia Kaiser, Senior VP at Halcyon Ransomware Research Center, called this "one of the largest single education-sector exposures" tracked, comparing it to the Clop group's 2025 Oracle EBS attack in cascading sector-wide impact [5]. For a breach of this magnitude, the cost of not attempting to prevent data publication — even with imperfect guarantees — can be seen as the lesser risk.

Instructure's framing that the agreement would prevent "direct attacker contact with individual institutions" [2] also points to a real concern: without a centralized payment, ShinyHunters could have contacted each of the 8,809 affected institutions individually, demanding separate ransoms and creating chaos across the education sector.

Legal Exposure

The legal landscape surrounding ransom payments is fragmented and, in some cases, contradictory.

FERPA — the Family Educational Rights and Privacy Act — applies directly to schools and universities, not to their technology vendors [21][22]. Schools remain accountable for vendor oversight through service agreements, but FERPA's enforcement mechanism is the potential loss of federal education funding, a sanction that has never been imposed in the law's 50-plus year history [22].

FERPA also does not require direct breach notification to affected students or parents — it requires only that the institution record the disclosure [21][22]. Critics have called this framework, designed for "paper files in locked cabinets," inadequate for modern educational technology [22].

State laws create a patchwork of additional obligations. California's Student Online Personal Information Protection Act (SOPIPA), New York's Education Law Section 2-d, and Colorado's HB 16-1423 impose breach notification deadlines and parent communication requirements that go beyond FERPA [22][23]. North Carolina, Florida, and Tennessee explicitly prohibit public sector organizations from paying ransoms, which could complicate institutions in those states that are contractually tied to Instructure's actions [23].

At the federal level, the U.S. Treasury's Office of Foreign Assets Control (OFAC) regulations could make ransom payments illegal if ShinyHunters members appear on the Specially Designated Nationals list [17]. Payments could also violate the International Emergency Economic Powers Act or the Trading with the Enemy Act, depending on the nationality and affiliations of the recipients [17].

The U.S. Department of Education issued a Technology Security Alert on May 12 regarding the incident [24], and CISA confirmed awareness and offered support [14].

Disclosure Questions

Whether Instructure adequately disclosed the payment to affected institutions remains an open question. The company's public incident page confirmed the "agreement" but provided limited detail about the payment itself [7].

Individual institutions have been left to make their own assessments. Rutgers IT issued an alert on May 4 acknowledging the "nationwide security breach" but could only relay the limited information Instructure had provided [10]. Duke University's student newspaper reported that the university was "among 9,000 schools affected" but had received little direct communication from Instructure about the scope of data exposure specific to Duke [9].

Under many institutional service agreements, vendors are obligated to provide timely and detailed notification of security incidents. Whether Instructure's communications met those contractual requirements — particularly regarding the payment and the basis for its claim that data had been deleted — is likely to become a focus of legal scrutiny [22].

Education Under Siege

The Canvas breach is the largest single incident in a sector that has become one of the most targeted by cybercriminals.

Education was the most attacked sector globally in 2025, with an average of 4,388 weekly cyberattacks per educational organization — a 63% surge from the prior year [16][25]. Ransomware attacks on educational institutions worldwide rose from 166 in 2021 to 251 in 2025 [16].

Source: Comparitech / DeepStrike / GovTech

Data as of May 12, 2026CSV

Higher education institutions bear a disproportionate share of the damage. In the U.S. in 2025, higher-ed breaches exposed 3.7 million records compared to 175,000 for K-12 [25]. The education sector also takes an average of 4.8 months to report data breaches — the slowest of any sector [26].

The average cost of an education data breach reached $3.8 million in 2025 [16]. While lower than healthcare ($10.9 million) or finance ($6.1 million), the figure is significant for institutions that operate on thin margins and often lack dedicated cybersecurity staff [16][25].

Source: IBM / Comparitech

Data as of May 12, 2026CSV

K-12 institutions are particularly vulnerable. A 2025 survey found that 82% of K-12 schools experienced a cyber incident between July 2023 and December 2024 [25]. Many districts lack full-time IT security personnel and rely heavily on third-party platforms like Canvas for core educational functions.

What Comes Next

Instructure has taken several concrete remediation steps: shutting down the Free-For-Teacher accounts that served as the attack vector, rotating application keys, revoking privileged credentials, and resetting access tokens [7]. The company says it has engaged external forensic partners, though it has not named them or committed to a timeline for a third-party audit [7].

The House Homeland Security Committee's demand for a briefing by May 21 [14] signals that congressional scrutiny is likely to intensify. The Department of Education's Technology Security Alert [24] could be a precursor to more formal regulatory action, though FERPA's limited enforcement history suggests that any consequences will more likely come through state-level actions or private litigation.

For the 275 million students, educators, and staff whose data was exfiltrated, the outcome depends on a promise from criminals who broke into the same system twice in ten days — and on the unverifiable claim that they destroyed everything they took.

As security researcher Allison Nixon put it, the track record of such promises from ShinyHunters and affiliated groups is one of "false statements to victims and to the public" [5]. The data may or may not be gone. There is, at present, no way to know.