Instructure, the parent company of the widely used educational platform Canvas, has reached an agreement with the hacking group ShinyHunters to delete stolen student and school data. The company confirmed that all impacted data was returned and that digital shred logs were provided as proof of destruction. Instructure stated that no customers will be extorted as a result of the incident, though the company did not disclose whether a ransom was paid.
The breach, which affected nearly 9,000 schools and approximately 275 million individuals worldwide, was claimed by ShinyHunters. The group had threatened to release the data publicly unless a settlement was reached by May 12. The attack caused major disruptions, including outages during finals week, with some institutions temporarily disabling access to Canvas or delaying exams.
Instructure acknowledged that there is no guarantee the data was fully destroyed, as cybercriminals have been known to lie about deletion in the past. The company emphasized that protecting student and staff data was its primary motivation. The breach involved student ID numbers, email addresses, and private messages but did not include passwords, Social Security numbers, or financial information.
The House Homeland Security Committee has requested a briefing from Instructure CEO Steve Daly regarding the multiple intrusions, the nature and amount of data stolen, and the company's coordination with federal law enforcement.