Criminal assurances they've deleted it have been proven lies
In the quiet architecture of modern education, millions of students entrust their records to platforms they rarely think about — until those platforms fail them. Instructure, the American company behind the Canvas learning system, announced it had reached a settlement with the criminal group ShinyHunters after a breach affecting 275 million users globally, including students and staff at 122 Australian institutions. The company's careful language around an 'agreement' has led security experts to conclude that a ransom was almost certainly paid, raising enduring questions about whether negotiating with criminals protects victims or simply funds the next attack. The incident is less a story about one company's lapse than a reckoning with how deeply education — and the children within it — has been entrusted to distant, centralised systems whose vulnerabilities are only visible when they break.
- ShinyHunters stole 3.65 terabytes of student and staff data from Canvas, hitting universities, TAFEs, and private schools across Australia at the worst possible moment — the final weeks of semester.
- Instructure's refusal to confirm a ransom payment while announcing an 'agreement' with the attackers has drawn sharp criticism, with Australia's former cyber security chief calling the language 'code for paid.'
- Security experts warn that criminal promises to destroy stolen data are routinely broken, meaning millions of students' names, emails, and messages may still be in criminal hands despite the deal.
- A class action lawsuit filed in the United States alleges Instructure left itself dangerously exposed, and the payment — estimated in the high single-digit millions — may eventually surface in investor filings.
- The breach has reignited urgent debate about Australia's structural dependence on overseas platforms to hold sensitive data on children, with experts calling it a wake-up call for the entire sector.
Instructure, the American company behind the Canvas learning management system, announced it had reached a deal with ShinyHunters — the criminal gang that broke into its systems and made off with personal data from an estimated 275 million users across nearly 9,000 institutions worldwide. At least 122 Australian schools, universities, and TAFEs were caught in what is believed to be the largest data breach ever recorded in the education sector. The attackers had demanded roughly $13 million and threatened to release the stolen data publicly. Instructure said the data had been returned and that proof of destruction had been provided, but stopped short of confirming whether money changed hands.
The breach struck during the final weeks of semester, forcing institutions to scramble as Canvas went dark. The stolen records — 3.65 terabytes of names, email addresses, student IDs, and private messages — touched some of Australia's most prominent universities and school systems, from the University of Melbourne and RMIT to Melbourne Grammar and the Victorian Department of Education. Passwords and financial data were reportedly not taken, though the disruption to daily academic life was immediate and widespread.
Alastair MacGibbon, Australia's former cyber security chief, was unsparing in his reading of Instructure's statement. 'Reaching an agreement, I would suggest, is code for paid,' he said, adding that victims should place no faith in criminals' assurances that stolen data has been destroyed — such promises, he noted, have repeatedly proven false. He called on Instructure to offer genuine public justification rather than retreat behind corporate language, particularly given that children's data was involved.
Cybersecurity consultant Luke Irwin estimated any actual payment was likely in the high single-digit millions. Instructure is owned by US private equity firm KKR, and the sum may eventually appear in investor or regulatory filings. A class action lawsuit filed in Utah alleges the company failed to adequately protect its platform — and that this was not its first lapse, having suffered a related breach through third-party software in 2024.
For MacGibbon, the deeper lesson was structural. A single company most Australians had never heard of was quietly holding data for 8,000 institutions across the globe. One breach, he said, led to harm against millions — and served as a warning to any organisation operating at scale with access to sensitive personal data. The incident has forced a harder question about what it means to hand the records of an entire generation of students to platforms headquartered far away, governed by different laws, and vulnerable in ways that only become visible when something goes wrong.
Instructure, the company behind Canvas, announced early Wednesday that it had reached a deal with the criminal gang that broke into its systems and stole personal information from an estimated 275 million users across nearly 9,000 educational institutions worldwide. At least 122 Australian schools, universities, and TAFEs were caught in what is believed to be the largest education-sector data breach on record. The hackers, identified as ShinyHunters, had demanded roughly $13 million and threatened to release the stolen data publicly unless they were paid.
The breach crippled Canvas during the final weeks of the first semester, forcing schools to scramble to restore access to the platform that hundreds of thousands of Australian students and teachers rely on daily. The attackers made off with 3.65 terabytes of student and staff records—names, email addresses, student ID numbers, and private Canvas messages. Instructure said no passwords, dates of birth, government identifiers, or financial information were taken, though the company stopped short of explicitly confirming whether a ransom had been paid. Instead, it said only that it had "reached an agreement" with the attackers and that the stolen data had been returned alongside digital proof that remaining copies had been destroyed.
The victims read like a map of Australia's education sector. The University of Melbourne, University of Sydney, RMIT, Western Sydney University, the University of Newcastle, and Australian Catholic University all had data exposed. So did the Victorian and Queensland Departments of Education. Private schools including Melbourne Grammar, Cranbrook in Sydney, and Brisbane Grammar were also affected. The breach first surfaced publicly last week, and many institutions had already restored Canvas access before the deal was announced.
Alastair MacGibbon, Australia's former cyber security chief, was blunt about what Instructure's carefully worded statement actually meant. "Reaching an agreement, I would suggest, is code for paid," he told the Sydney Morning Herald. He acknowledged that in some circumstances—a hospital system held hostage, a power company crippled—paying a ransom might be defensible. But for a data breach involving millions of students' personal information, the calculus was different. "Most people would question how an organisation would think that was justifiable," he said. He also warned that victims should not trust the criminals' assurances that the data had been deleted. Criminal promises to destroy stolen information "have been proven time and time again to be inaccurate, or lies."
MacGibbon pressed Instructure to explain itself publicly rather than hide behind corporate language. The involvement of children might be a partial justification for negotiating, he said, but the company could not simply imply that and move on. "You can't just say we've reached an agreement with the criminals and they've told us they're not going to release anything. It's just not acceptable. You've got to come out and give justifications." A cybersecurity consultant at Aegis Cybersecurity, Luke Irwin, estimated that if the initial demand was around $10 million, any actual payment was likely "in the high single-digit millions." Instructure is owned by the US private equity firm KKR, and the payment may eventually surface in investor reports or SEC filings.
The breach exposed a troubling pattern. ShinyHunters had already broken into Canvas in 2024 through a flaw in third-party software. This time, they exploited a vulnerability in the Free-for-Teacher program, which allowed educators to sign up without institutional verification. A class action lawsuit filed in a US federal court in Utah last week alleges that Instructure failed to adequately protect its platform and made itself an easy target for criminals. It is legal in Australia to pay a ransom to hackers as long as they are not a sanctioned entity, but the incident has reignited questions about the country's dependence on overseas software platforms to hold sensitive data on millions of children.
MacGibbon framed the breach as a warning about supply chain risk. "This is an organisation most people have never heard of that actually serviced 8000 institutions globally," he said. "A single compromise, reasonably unsophisticated, leads to harm against millions of people. It highlights the complexity of supply chains. It should be a wake-up call for anyone else that operates an IT helpdesk or a workforce with access to these types of massive amounts of data." The incident has exposed not just a security failure but a structural vulnerability in how Australian education depends on distant, centralized platforms—and what happens when those platforms fall.
Notable Quotes
Reaching an agreement, I would suggest, is code for paid. You've got to come out and give justifications.— Alastair MacGibbon, Australia's former cyber security chief
A single compromise, reasonably unsophisticated, leads to harm against millions of people. It should be a wake-up call.— Alastair MacGibbon, on the broader supply chain risk
The Hearth Conversation Another angle on the story
Why would Instructure pay a ransom when it's so clearly the wrong message to send?
Because 275 million people's data was in the hands of criminals, and they had to make a choice between a certain loss and an uncertain one. The company probably calculated that paying was faster and more controllable than the alternative.
But doesn't paying just encourage more attacks?
That's the argument MacGibbon makes, and he's not wrong. But Instructure had to weigh that against the immediate harm to students and staff. The company likely believed the ransom was the lesser evil in that moment.
Why didn't Instructure just say they paid?
Because admitting to a ransom payment opens them to criticism, lawsuits, and questions about whether they negotiated in good faith. The vague language—"reached an agreement"—lets them claim they did what was necessary without explicitly confirming they funded criminal activity.
Is the data actually deleted?
Almost certainly not. MacGibbon's point is that criminals lie about this routinely. They may have deleted some copies, but there's no way to verify they destroyed everything. The data could be sold later, used for identity theft, or held for another ransom demand.
What should have happened instead?
Ideally, Canvas should have been secure enough that this breach never happened. But once it did, Instructure should have been transparent about what they did and why, rather than hiding behind corporate language. The public—especially parents—deserves to know the full story.
Will this change how Australian schools choose their platforms?
It should. This breach shows that relying on a single overseas company to hold data on millions of children is risky. Schools may start demanding better security standards, redundancy, or even local alternatives. But change is slow in education.