Instructure Pays Ransom After Canvas Breaches as Congress Launches Investigation
Education tech giant Instructure paid a ransom to the ShinyHunters group after two breaches of its Canvas platform, while the House Homeland Security Committee announced an investigation into the company's incident response.
Education technology firm Instructure has confirmed it paid a ransom to the ShinyHunters cybercriminal group following two breaches of its Canvas learning management platform that compromised data from thousands of schools. The company disclosed the payment late Monday, stating that the hackers agreed to return the stolen data and provide digital confirmation of its destruction. Instructure emphasized that no individual customers would be extorted as part of the agreement, which covers all 9,000 impacted customers.
The ShinyHunters group breached Canvas twice in two weeks, first stealing data on May 1 and then defacing the platform with a ransom message on May 7. The stolen information includes names, email addresses, student IDs, and messages between students and professors. The attack forced Instructure to temporarily shut down Canvas, disrupting access to course materials for millions of students ahead of final exams.
The decision to pay the ransom came just hours after the House Homeland Security Committee announced it would investigate the incident. Committee Chairman Rep. Andrew Garbarino (R-NY) sent a letter to Instructure CEO Steve Daly requesting a briefing by May 21, expressing serious concerns about the company's handling of the breaches. Garbarino noted that Instructure initially claimed the incident was contained on May 2, only to suffer a second intrusion days later.
"The recurrence of an intrusion within days of an initial breach disclosure, and Instructure's apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company's incident response capabilities," Garbarino wrote in his letter, first reported by Politico. The committee's investigation will examine the circumstances of both intrusions, the volume of data accessed, and the adequacy of Instructure's coordination with federal law enforcement and CISA.
Instructure CEO Steve Daly issued a public apology to customers over the weekend, reaffirming that Canvas is currently safe to use. The company has hired Crowdstrike and another cybersecurity firm to conduct a forensic analysis and harden its environment against future attacks. The FBI has acknowledged the disruption and warned students not to respond to any direct contact from the hackers demanding payment.
On Monday, the ShinyHunters leak site was taken offline, with several cybersecurity experts suggesting potential FBI action targeting the group. The attack on Instructure caps months of high-profile breaches by ShinyHunters, which has previously targeted Ticketmaster, AT&T, McGraw Hill, and other major organizations. The incident highlights the growing threat to the education technology sector, where platforms like Canvas serve as critical infrastructure for millions of students and faculty.