Instructure has paid an undisclosed ransom to the ShinyHunters group, which breached Canvas twice in the span of ten days. Inside Higher Ed. According to Instructure, the hackers returned compromised data tied to roughly 275 million users across more than 8,800 institutions and provided digital confirmation that the data had been destroyed along with assurances that customers would not be extorted further.
Three things worth noting for Virginia school divisions.
First, the ransom payment confirms the breach was serious enough that one of the largest ed-tech vendors in North America determined payment was the appropriate response. Canvas is used by 41 percent of higher education institutions in North America. The scale of dependency is exactly what made the leverage possible.
Second, a promise from a ransomware group that data has been destroyed is not independent verification. Whether all copies were actually destroyed cannot be independently confirmed.
Third, according to reporting from Inside Higher Ed, ShinyHunters breached Canvas a second time after Instructure initially declined to pay and attempted to patch the vulnerability.
For Virginia school divisions, the broader question is what data and operational functions should remain under direct division control versus centralized third-party cloud platforms.