A digital cloud finally lifted this week from Instructure, the tech giant behind the education platform Canvas. But the air still smells faintly of sulfur. After a week of cascading outages, login pages hijacked, and the staggering theft of data belonging to hundreds of millions of students, Instructure declared it had “reached an agreement with the unauthorised actor” responsible for the ransomware siege. A resolution? Or something more financially painful?
“Agreement.” Such a polite word. Experts, however, read between the lines. A ransom, they whispered, had likely changed hands. Instructure remained tight-lipped, naturally. No confirmation there.
The Attackers and Their Haul
Who were these “unauthorised actors”? A group called ShinyHunters. They took credit. They threatened to spill a reported 3.6 terabytes of sensitive data. Student IDs. Email addresses. Names. Messages. From 9,000 schools. Affecting 275 million students and staff globally. A chilling prospect for any institution. For any parent.
In Australia, the impact was immediate. RMIT and UTS were forced to grant assignment extensions. Frustrated students found themselves locked out of vital portals.
How did this happen? Hackers exploited a flaw in Instructure's “Free for Teacher” software. They didn't just steal; they defaced login pages. University of Texas San Antonio users logged on to a breach notification. A bold, digital middle finger.
Instructure insisted the data was “returned.” Even “digital confirmation of data destruction” was provided. “Shred logs,” they called them. A technical report. Proof of deletion. Maybe.
“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible.”
The Ransom Dilemma
This wasn't just an Instructure problem. Thousands of companies face this annual Sophie's Choice. Governments globally advise against paying. A noble stance. Yet, many businesses ultimately cave. Why? Desperation. Damage control. The fear of public humiliation.
Darren Hopkins, cyber head at McGrathNicol, saw Instructure's statement as “well crafted.” It admitted nothing, yet revealed everything. ShinyHunters, he reminded us, is an “extortion group.” That's their business. What “agreement” could there possibly be, other than payment?
Luke Irwin of Aegis Cybersecurity put a number on it. Up to US$10 million. That's what was reportedly demanded. Instructure, or its insurer, likely paid something in that ballpark. A heavy price.
Irwin highlighted the inherent gamble. “Instructure is dealing with a criminal organisation, and you are taking them at their word that they will commit to those outcomes,” he observed. “That is a risk-driven position Instructure needs to work within.”
Governments vs. Reality
Akamai's 2025 ransomware report noted most governments (UK, US, Australia) warn against payments. But outright bans? Rare. Less payment means less effective attacks. Logically, it makes sense. But try telling that to a CEO watching their company bleed data.
Australia even considers such payments a criminal offense under specific sanctions. Though, the office reviews these “on a case-by-case basis.” What an uncomfortable gray area.
Despite warnings, the numbers speak. By January 2026, 75 Australian businesses (>$3M turnover) had paid ransoms. The government doesn't disclose amounts. A McGrathNichol report from November found the average Australian payment was $711,000. Down from $1.35 million. Businesses are getting smarter, Hopkins suggested. Less about unlocking systems, more about stopping data leaks.
Hopkins, often quizzed in boardrooms, gets the same question: Will payment stop the leak? “How honest is that criminal?” This, he says, comes up constantly. ShinyHunters, Irwin argued, has a vested interest in playing fair. Future victims need to believe.
But Hopkins countered with a dose of stark realism. “You can't rely on them to not be what they are, which is criminals.” They'll provide screenshots. “Here's us deleting things.” Proof? Not really. “You don't know if they've made a copy, or what they've done beyond that.” The grim truth: “They will show you what you need to see so you'll make your payment, and you've got no access to validate any of these things.” A chilling thought. The digital wild west continues.
No comments yet. Be the first to share your thoughts!