There is never complete certainty when dealing with cyber criminals
In a moment that lays bare the impossible calculus of the digital age, Instructure — the company behind the Canvas learning platform — chose to pay an undisclosed ransom to the Shiny Hunters hacking group after 3.5 terabytes of student data were stolen from roughly 9,000 universities and colleges across four countries. The decision, made against the explicit counsel of law enforcement worldwide, reflects the quiet desperation of institutions caught between the certainty of harm and the uncertainty of trust. That students sat in exam halls watching ransom demands appear on their screens reminds us that the vulnerabilities of our interconnected systems are no longer abstract — they arrive mid-sentence, mid-thought, mid-exam.
- A criminal group called Shiny Hunters seized 3.5 terabytes of sensitive data from 9,000 institutions and threatened to publish it unless paid in bitcoin — turning student records into leverage.
- The attack surfaced in real time: students mid-exam watched ransom messages flood their screens, exams were abandoned, coursework vanished, and the academic calendar buckled under the disruption.
- Law enforcement agencies worldwide warn that paying ransoms emboldens attackers and offers no guarantee of deletion — the LockBit case proved criminals routinely keep data for resale even after payment.
- Instructure paid anyway, negotiating for data return, digital proof of destruction, and a promise of no further extortion — terms that cyber experts regard with deep skepticism.
- Shiny Hunters had already breached Instructure twice before, and their silence on student suffering signals that this payment may invite rather than end future attacks.
Instructure, the company behind the Canvas learning management platform, has admitted to paying hackers after a breach last week disrupted thousands of universities and colleges across the United States, Canada, Australia, and the United Kingdom. The attackers — a group known as Shiny Hunters — stole 3.5 terabytes of sensitive data from roughly 9,000 institutions and demanded bitcoin payment in exchange for not publishing it.
The decision to pay cuts against the advice of law enforcement agencies worldwide, who argue that ransom payments fuel further attacks and offer no real guarantee that stolen data is ever truly destroyed. The point is not merely theoretical: when investigators dismantled the LockBit ransomware operation, they found that criminals had retained victim data long after payments were made, intending to resell it. Instructure did not disclose the sum paid, but said the agreement included the return of the data, digital confirmation of its destruction, and assurances against further extortion.
The human cost was immediate. Meteorology student Aubrey Palmer was mid-essay in a 2,900-word exam at Mississippi State University when a ransom message appeared on every screen in the room. Palmer's first instinct was that something had gone wrong personally — only on closer reading did the institutional scale of the breach become clear. Dozens of students faced the same confusion, unsure whether their work had been saved. Mississippi State later postponed some exams to allow students to recover.
Instructure's public acknowledgment of the payment is rare in a world where ransom negotiations are typically kept secret. The company has posted regular updates throughout the incident — a transparency likely forced by the attack's visibility, arriving as it did at a critical point in the academic calendar. In a statement, Instructure said protecting student and staff data was its primary motivation, conceding that certainty is impossible when dealing with criminals but arguing the payment offered the best available path forward.
Shiny Hunters had breached Instructure twice before — in September 2025 and again in April 2026 — and have previously targeted Jaguar Land Rover and Gucci. When contacted by the BBC, the group declined to comment on the distress caused to students. Their willingness to return to the same target, and their silence on the suffering they caused, suggests that Instructure's payment may have purchased something far less durable than peace of mind.
Instructure, the company behind Canvas, has acknowledged paying hackers to delete stolen student data after a breach that disrupted thousands of colleges and universities last week. The attack affected roughly 9,000 institutions across the United States, Canada, Australia, and the United Kingdom. The criminals—a group calling itself Shiny Hunters—had stolen 3.5 terabytes of sensitive information and threatened to publish it unless they received payment in bitcoin.
The decision to pay runs counter to guidance from law enforcement agencies worldwide, who argue that ransom payments encourage future attacks and provide no real assurance that stolen data has actually been destroyed. History offers cautionary examples: when the National Crime Agency dismantled the LockBit ransomware operation, investigators discovered that criminals had kept stolen data even after victims paid them, intending to resell it later. Instructure did not disclose the amount paid, but the company said the agreement included the return of the data, digital confirmation of its destruction, and assurances that no customers would face further extortion.
The breach was discovered on April 29th and claimed almost immediately by Shiny Hunters, a prolific extortion group known for targeting major corporations. The hackers have previously breached Instructure twice before—once in September 2025 and again in April 2026—and have claimed responsibility for attacks on Jaguar Land Rover and Gucci. When contacted by the BBC, the group declined to comment on the disruption caused to students or to reveal how much it had been paid.
The human impact was immediate and visible. Aubrey Palmer, a meteorology student at Mississippi State University, was in the middle of a 2,900-word exam essay when a ransom message suddenly appeared on every screen in the exam room. The note announced that Shiny Hunters had breached Instructure and demanded payment in bitcoin. Palmer's first instinct was panic—the message looked like a personal hack. Only after reading it carefully did the student realize the breach was institutional, not individual. Dozens of other students received the same message, and confusion spread about whether their work had been saved. Mississippi State later postponed some exams to allow students time to recover any lost work.
Instructure's decision to publicly acknowledge the payment is unusual in the ransomware world, where victims typically keep such negotiations secret. The company has maintained unusual transparency throughout the incident, posting regular updates on its website. That openness may reflect the fact that the attack was impossible to hide—it affected students directly, disrupting exam schedules and cutting off access to revision materials at a critical moment in the academic calendar. In a statement, Instructure said protecting student and staff data was its primary motivation, acknowledging that "there is never complete certainty when dealing with cyber criminals" but arguing that paying offered the best available path to peace of mind.
Shiny Hunters, described by investigators as English-speaking and likely young, showed no remorse when asked about the stress inflicted on students. The group's willingness to strike the same target multiple times, combined with its track record of hitting high-profile organizations, suggests that Instructure's payment may do little to deter future attacks—either against the company or against other institutions watching to see whether ransom payments actually work.
Notable Quotes
My knee-jerk reaction was that I'd been hacked myself, because that's what it looked like. But then I actually read the ransom note and saw it was Canvas that had been hacked.— Aubrey Palmer, meteorology student at Mississippi State University
We have no comment on that.— Shiny Hunters, when asked about stress and disruption caused to students
The Hearth Conversation Another angle on the story
Why would a company pay criminals when law enforcement explicitly warns against it?
Because the alternative—having 3.5 terabytes of student records published online—felt worse. Once the data is stolen, the company's choices are all bad. At least a payment came with promises, even if those promises are unreliable.
But doesn't paying just guarantee the next attack?
Probably. Shiny Hunters has hit Instructure three times now. Each time, the company gets a little more desperate. The calculus shifts when you're responsible for millions of students' personal information.
What about the students themselves—did anyone ask them if they wanted to pay?
No. That's the strange part. Aubrey Palmer and thousands of others had no say in the decision. They just saw the ransom note appear mid-exam and had to figure out what it meant for their work.
Why did Instructure admit to paying when most companies hide it?
Because they couldn't hide it. The breach was too visible, too disruptive. Students saw the ransom message. Exams got cancelled. The company chose transparency partly out of necessity, partly to show they were taking action.
Do you think the hackers actually deleted the data?
Almost certainly not. Shiny Hunters has done this before. They take the money and keep copies. It's a business model. Instructure paid for the hope that they did, not the certainty.