CANVAS PAYS RANSOM AFTER STUDENT DATA BREACH

Instructure, the US firm operating Canvas, disclosed the agreement after a week of outages affected schools globally. The attack resulted in stolen data, delayed assignment deadlines, and defaced login pages. The ransom decision highlights a recurring dilemma for companies facing data breaches. While cybersecurity experts and government agencies consistently advise against paying attackers—arguing it funds criminal operations and encourages future attacks—many organizations proceed anyway to mitigate privacy risks and restore operations quickly. Once ransoms are paid, questions persist about stolen data. Cybercriminals often claim to delete information but provide no verification. Some data inevitably circulates on dark web marketplaces or leaks publicly despite payment. Canvas users now face uncertainty about whether their information remains secure. Instructure has not disclosed specific details about the settlement or confirmed data deletion. The incident underscores the growing threat to education infrastructure and the difficult calculus institutions face when balancing ransom demands against operational and reputational costs.