Canvas paid hackers – but the student data questions are just beginning

The Canvas attack shows how educational platforms have become critical infrastructure – and how paying off hackers still leaves major questions about whether student data is truly safe. 

Last week’s Canvas cyberattack led to a finals-week nightmare for thousands of students across North America, locking them out of exams, assignments, and coursework – all while putting them face-to-face with the notorious ShinyHunters ransomware gang – something most students would never have expected. 

With threats to release stolen data belonging to 275 million students and teachers tied to the e-learning platform, Canvas by Instructure announced over the weekend it paid off the seasoned hackers, alongside a “digital confirmation of data destruction” from ShinyHunters themselves. 

The undisclosed ransom demand was reportedly paid to ShinyHunters as part of an agreement intended to prevent an imminent leak affecting schools, from kindergarten classrooms to universities worldwide. 

But now the breach is becoming something much bigger: a test of whether the more than 8,000 schools caught up in the hack can trust a hacker group’s word that stolen student data was actually destroyed.

Paying hackers does not erase the risk 

While it may have been enough to stop an immediate leak, it does not erase the larger problem – once student data is stolen, control is gone.

If we look back to the December 2024 breach of edtech software provider PowerSchool, the lesson apparently has not been learned.

After PowerSchool allegedly forked over a $60 million ransom demand, the 19-year-old attacker later turned to extorting the 15,000 North American school districts using the platform – despite earlier promises to delete the stolen data. 

Fast forward to the Canvas breach. The company says there is no evidence the stolen information was publicly leaked or retained after the payment agreement. 

Canvas revealed compromised data included full names, email addresses, student IDs, course and enrollment data, plus “billions of private messages” exchanged on the platform. 

And while passwords, Social Security numbers, financial information, grades, coursework submissions, and student files were not exposed, cyber experts say once student data falls into the hands of criminal actors, “the implications for identity theft, targeted social engineering, and even safeguarding are serious and long-lasting.”

Despite historical evidence that ransomware groups lie, students, parents, and schools are still being asked to accept that these cybercriminals will honor their end of the deal.

Criminal promises are still promises from criminals 

To be fair, there is a reason extortion groups sometimes do. ShinyHunters and groups like it operate for profit. Their entire business model depends on victims believing that payment can reduce damage, prevent leaks, or stop further extortion. 

If hackers routinely take the money and leak the data anyway, future victims have less incentive to pay.

In that sense, even criminal groups have a reputation to protect.

But that does not make their promises trustworthy. Data can be copied. Affiliates can retain files. Archives can resurface months later.

The PowerSchool breach already showed how difficult it is for schools and families to know whether stolen student information has truly disappeared after a cyber extortion incident.

That is why the Canvas case matters beyond a company apology and a single ransom agreement.

One platform, millions of students 

The attack also exposed how dependent modern schools have become on centralized cloud platforms to function at all. 

Canvas is no longer just a homework portal. For many schools, it is the classroom, gradebook, assignment tracker, messaging hub, exam platform, and student records pipeline all rolled into one.

When initial negotiations failed, ShinyHunters upped the ante, defacing Canvas login pages with threats and turned to targeting individual schools for extortion. 

With the system down, frustrated students and teachers lost access to key classroom tools, while school officials scrambled to contain the damage, with some schools forced to cancel final exams altogether.

It is the same uncomfortable lesson seen in the infamous AWS and CrowdStrike disruptions from years past: when one widely used platform fails, entire industries can grind to a halt all at once.

The answer is not for schools to abandon cloud platforms altogether. That’s unrealistic. But cyber insiders have long warned that institutions need real backup plans before outages happen – not improvised workarounds after the systems have already been disabled.

Because when the world’s classrooms run on a single platform, a cyberattack is no longer just an IT problem – it becomes an education crisis.