Instructure Says It Reached Deal With Hackers After Two Intrusions

Instructure, the company behind the Canvas school portal, said Tuesday it has struck an agreement with the criminal group that infiltrated its systems on two occasions this year, seizing a large trove of student and employee records and disrupting thousands of school districts that depend on the software. The group known as ShinyHunters claimed responsibility for the initial April 29 intrusion and said it had copied data tied to about 275 million people. Officials said the attackers also returned to alter Canvas sign-in pages on district websites as a pressure tactic weeks later.

The company posted an update saying the intruders supplied what Instructure described as proof that the stolen material had been eliminated and that customers would not face further extortion. Instructure warned, however, that agreements with criminal actors can never be guaranteed and urged customers not to engage directly with the attackers. The vendor said it continues to verify the findings as its investigation proceeds.

Financial details of the arrangement were not disclosed, and Instructure declined to say whether money exchanged hands. Observers noted that a listing for the Instructure haul had disappeared from the cybercrime group’s public leak site after the announcement, which industry monitors say is often an indicator that a ransom was paid. The group posted statements online asserting the data had been erased and that it would not seek additional payments.

Federal authorities have repeatedly cautioned victims not to rout funds to extortionists, and many security specialists say criminals cannot be relied upon to follow through on deletion promises. The Instructure incident follows a similar attack on another student-information vendor last year that affected tens of millions of accounts; that company also paid to recover data but some customers later reported separate demands tied to material that prosecutors say had not been fully removed.

Investigators who reviewed samples of the Instructure breach say the files included student and staff names, personal email addresses and private communications between teachers and pupils. Instructure acknowledged the two incidents were separate intrusions affecting different parts of its systems, and said it is still validating the scope of what was taken. The company did not say who within the organization owns responsibility for cybersecurity and would not say whether chief executive Steve Daly will step down.

Independent security analysts caution that a settlement may halt an immediate release of stolen records, but it can encourage more targeting of the education sector and raises legal and regulatory questions for vendors that hold sensitive information on minors. They urged school officials to treat any communications about ransom offers as potential evidence, to notify families promptly, and to work with law enforcement rather than negotiate with attackers.