Ransom deal reached with Canvas hackers who stole student and teacher data
AI-generated summary reviewed by our newsroom.
- Instructure reached a deal with hackers to recover data and obtain shred logs.
- Reports say the attack exposed personal data for over 275 million people.
- North Carolina cut Canvas access, then DPI restored it and left use to districts.
The company that owns Canvas has paid the ransom demanded by cyberhackers who broke into the learning management system and stole personal data on millions of students and school employees globally.
In an update posted Monday on Instructure’s website, the education technology company said it had reached a deal with the hackers that resulted in the stolen data being returned and copies destroyed. Instructure said that the hackers have also promised to not extort the thousands of schools — including many in North Carolina — that were affected by the global data breach.
“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers,” Instructure said on its website. “We understand how unsettling situations like this can be, and protecting our community remains our top priority.
“With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident.”
North Carolina law bars state agencies and local government entities — including school districts, UNC System schools and community colleges — from paying ransomware demands. That prohibition doesn’t apply to private companies like Instructure.
The company that owned the PowerSchool student information system previously used by North Carolina public schools had also paid a ransomware demand after a 2025 cyberattack.
Instructure didn’t reveal how much it had paid. But the PowerSchool hacker received approximately $2.85 million in Bitcoin before he was caught and pleaded guilty to the crime, The Associated Press reported.
Public ransomware demand from hackers
Canvas is part of North Carolina’s statewide learning management system for K-12 public schools. It’s also used by many colleges and universities, including Duke University and UNC-Chapel Hill.
Instructure was hacked by ShinyHunters, a criminal extortion group that’s also been linked to data breaches at three Ivy League institutions in late 2025. The group claimed its attack on Instructure affected nearly 9,000 schools worldwide and exposed personal identifying information for over 275 million students, teachers and staff, according to Inside Higher Ed.
Last week, Instructure notified schools about the April 29 data breach. Instructure says the data breach involved information like usernames, email addresses, course names, enrollment information and messages.
On Thursday, ShinyHunters posted a ransomware demand that appeared as a pop-up message when some students and teachers logged into Canvas. The pop-up message gave Instructure and affected schools a May 12 deadline to pay or risk data exposure.
The attack led to the state Department of Public Instruction cutting off Canvas access to North Carolina public schools on Thursday. DPI restored access on Monday afternoon and left it up to individual school districts and charter schools whether to let their students and teachers use Canvas.
Terms of agreement with cyberhackers
Terms of the ransomware agreement announced by Instructure include:
- Instructure says the data was returned to the company.
- Instructure says it received digital confirmation of data destruction (shred logs).
- Instructure says it has been informed that none of its customers will be extorted as a result of this incident, publicly or otherwise.
- Instructure says this agreement covers all impacted customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Instructure said. “We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.”
