Hackers stole data from 275 million students and staff worldwide in a ransomware attack on Instructure, the US company behind the Canvas learning platform used by thousands of schools and universities. The breach, disclosed after more than a week of service outages, defaced login pages and forced institutions across continents to delay assignments and cancel final examinations.
Global Education Platform Breached
The hacking group ShinyHunters claimed responsibility for the attack, which unfolded in two phases. A first intrusion was detected around 30 April 2026, followed by a more significant breach on 7 May when attackers defaced Canvas login pages at numerous institutions, including the University of Texas San Antonio. The group exploited a vulnerability in Instructure’s Free for Teacher accounts – no-cost accounts often used outside institutional IT management – to gain access. Instructure later shut those accounts down temporarily while working on a secure reintroduction.
ShinyHunters said it had stolen approximately 3.65 terabytes of data from nearly 9,000 educational bodies, affecting an estimated 275 million users. The exfiltrated information includes names, email addresses, student ID numbers, private messages between users, course enrolments, usernames, and course names. Instructure has stated there is no evidence that passwords, dates of birth, government identifiers or financial details were compromised, though student ID numbers could potentially be used to access financial aid profiles depending on institutional systems.
The attack caused widespread disruption. In Australia, more than two dozen universities and public and private schools in several states were affected, with RMIT and the University of Technology Sydney granting extensions as students found themselves locked out. In the UK, institutions including the University of Liverpool, the University of Manchester, Queen’s University Belfast, the University of Sussex, Falmouth University, the University of Hertfordshire, Oxford and Cambridge were impacted. National bodies Jisc and UCISA are leading the response for UK universities, with the National Cyber Security Centre (NCSC) coordinating efforts.
The Ransom Conundrum
On 11 May, Instructure announced it had “reached an agreement with the unauthorised actor”. Cybersecurity experts widely interpret this as a ransom payment, though the company has not confirmed. As part of the deal, Instructure said the stolen data was returned and it received “digital confirmation of data destruction” in the form of shred logs – technical reports generated by programs that process data to make it unrecoverable. The company added that no customers would be separately extorted and that the agreement covers all those affected. Chief executive Steve Daly issued an apology, admitting the company had failed to communicate consistently.
The question of whether to pay ransomware attackers is one that thousands of organisations face each year. Most governments, including those of the UK, the US and Australia, advise against paying, yet many companies ultimately do. The technology firm Akamai noted in its 2025 ransomware report that outright bans are rare, adding: “If ransoms are not paid, then the effectiveness of the attack vector is reduced and potentially becomes less attractive to hacker groups.” Payments can fund other criminal activities, and there is no guarantee that paying will prevent data from being released or threats from continuing, Akamai warns.
The UK is moving toward stricter rules. The government plans to ban ransomware payments for public sector bodies and operators of critical national infrastructure, including schools, NHS trusts and local councils. For private-sector organisations not covered by the ban, a new mandatory reporting regime will require companies to notify authorities before paying a ransom, allowing law enforcement to intervene and ensuring compliance with sanctions. Paying a sanctioned entity can already lead to civil and criminal penalties. These measures are expected to be implemented through the Cyber Security and Resilience Bill. The National Crime Agency and NCSC consider ransomware the greatest cybercrime threat to UK national security; prevalence among British businesses rose from under 0.5% in 2024 to 1% in 2025, and around half of surveyed firms have a policy not to pay, though many remain uncertain how to respond.
In Australia, paying a hacker designated under the autonomous cyber sanctions law can be a criminal offence, with the sanctions office considering each case individually for potential prosecution. Under mandatory reporting obligations that began in May 2025, 75 businesses with turnovers of at least A$3 million a year had paid ransoms by the end of January 2026. The government does not disclose amounts. A November ransomware survey by McGrathNicol of 800 executives from Australian businesses with 50 or more employees found the average ransom paid had fallen to A$711,000, down from A$1.35 million the previous year. The same survey showed 64% of businesses had decided to pay a ransom, and 81% said they would hypothetically be willing to do so.
Darren Hopkins, head of cyber at the forensics accounting firm McGrathNicol, says businesses are becoming better at preparing for attacks, meaning they are less likely to need to pay to regain access to locked systems. Instead, the focus is on trying to stop further harm by paying to prevent data release. “Canvas was interesting because we all suspected Instructure engaged with the threat actor very quickly because they were on the leak site and the posting got removed from it,” he said.
Expert Caution: No Guarantees
The question Hopkins says he is asked most often in boardroom training sessions is whether making a payment will actually stop data being exposed. “That question around ‘how honest is that criminal?’ comes up all the time,” he said. “The business model of hackers needs them to show that they’re honest because no one would ever pay them. So it’s a big trust factor.”
Luke Irwin, a cybersecurity expert at Aegis, estimates that based on reported ransom demands of US$10 million, it is possible Instructure – or its insurance underwriter – paid somewhere up to that amount, though the figure may have been negotiated down. He notes that it is in ShinyHunters’ interest to act in good faith as an example to other potential victims. “Instructure is dealing with a criminal organisation, and you are taking them at their word that they will commit to those outcomes,” he said. “That is a risk-driven position Instructure needs to work within.”
But Hopkins warns that trusting the word of criminals is dangerous. “You can’t rely on them to not be what they are, which is criminals,” he said. “They’ll go off and give us screenshots saying ‘here’s us deleting things’… you don’t know if they’ve made a copy, or what they’ve done beyond that. They will show you what you need to see so you’ll make your payment, and you’ve got no access to validate any of these things.”
The breach has already triggered class action lawsuits in US federal courts against Instructure. UK institutions affected now face notification obligations under GDPR, and the reputational damage to both the company and the education sector is likely to be long-lasting.
