Penn State was among the universities affected by the Canvas outage, which disrupted final exams for many students. The company behind the online learning platform, Instructure, announced it had reached an agreement with the hackers responsible for the cyberattack to delete the stolen data.
Deal with Hackers
Instructure, the parent company of Canvas, stated in an online post that it “reached an agreement with the unauthorized actor involved in this incident.” The company did not disclose details of the agreement, including whether a payment was made, and did not identify the perpetrators. The hacking group ShinyHunters claimed responsibility for the breach, threatening to leak data from nearly 9,000 schools worldwide affecting 275 million individuals unless a ransom was paid by 6 May. The group later extended the deadline, indicating negotiations with some schools.
Data Returned and Destroyed
As part of the deal, the stolen data was returned to Instructure. The company confirmed on Monday that it received “digital confirmation” in the form of “shred logs” that the hackers destroyed any remaining copies. However, Instructure acknowledged that there is no absolute certainty that the data was completely erased, but it took action due to concerns about potential publication.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Instructure said.
Impact on Students and Faculty
The cyberattack caused panic last week when students and faculty were locked out of the platform, which is essential for managing grades, accessing course notes, and submitting assignments. Many schools and universities delayed final exams in response to the breach. The data compromised included student ID numbers, email addresses, names, and messages on the Canvas platform, according to Instructure’s chief information security officer, Steve Proud. The company found no evidence that passwords, dates of birth, government identification, or financial information were exposed.
Ongoing Security Measures
Instructure stated it is working with “expert vendors” to conduct a forensic analysis, further strengthen its systems, and carry out a comprehensive review of the data involved. Canvas is widely used by schools and universities to manage nearly all aspects of instruction, including grade books, digital lectures, course materials, discussion boards, and messaging. Some courses also administer quizzes and exams on the platform or use it as a portal for submitting final projects and papers.
The incident highlights the vulnerabilities in educational technology systems and the challenges institutions face in protecting sensitive student data.
