The Canvas Ransom: Why Instructure's Decision to Pay ShinyHunters Reopened Cybersecurity's Oldest Argument
Few debates in cybersecurity are as old, or as unresolved, as whether organizations should ever pay a ransom to the criminals who attacked them. In May 2026, that debate found a new and uniquely uncomfortable test case: Instructure, the company behind Canvas, the learning management system used by thousands of schools and universities across the US, UK, Canada, and Australia. When the extortion group ShinyHunters breached Canvas twice in under two weeks and threatened to leak data belonging to millions of students and teachers, Instructure did what security professionals have spent years telling companies not to do. It paid.
How a single login portal became a global crisis
The breach unfolded in two distinct waves. Instructure first detected unauthorized activity in Canvas on April 29, 2026, and moved quickly to revoke third-party access and bring in outside forensic investigators. For a moment, it looked contained. Then, on May 7, Canvas users were greeted with a defaced login page bearing a message from ShinyHunters: the company had ignored the gang's outreach and applied only superficial "security patches," and unless Instructure engaged by a deadline, the attackers would leak everything.
What they were threatening to leak was not a routine dataset. ShinyHunters claimed to have exfiltrated roughly 3.5 terabytes of data, including names, email addresses, student ID numbers, and — most alarmingly — private messages exchanged between students and teachers and between students themselves. Unlike a typical breach of payment card numbers or login credentials, this was deeply personal, often sensitive correspondence involving minors, much of it from people who never had any direct relationship with Instructure and had no way to protect themselves.
The disruption hit at the worst possible moment academically. Canvas serves more than 9,000 academic institutions, and the outage struck right as students were finishing end-of-semester coursework and preparing for finals. Universities scrambled to postpone exams and extend deadlines while the company worked to bring the platform back online — twice, since the second wave of disruption arrived just as things seemed to be stabilizing.
The deal, and what we still don't know about it
On May 11, Instructure announced it had reached an agreement with the attackers. The company said the threat actors had returned the stolen data, provided some form of proof they had destroyed their copies, and promised not to further extort Instructure's customers. Instructure has never publicly confirmed it paid a ransom, nor disclosed any financial terms, but virtually every outside expert who examined the timeline concluded that some form of payment almost certainly took place. Notably, the hackers had removed their extortion countdown from their dark web leak site shortly before the announcement — a detail that cybersecurity investigators flagged as strong circumstantial evidence that negotiations, and likely a transaction, had occurred behind closed doors.
This is where the story stops being a simple breach narrative and becomes a genuine controversy. Critics didn't just question whether Instructure made the right call: they argued the decision carried consequences far beyond the company itself.
"You're rewarding the people who attacked you"
Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, articulated the core objection bluntly: paying ransoms "can create a dangerous feedback loop where attackers are effectively rewarded for successful breaches." He went further, arguing that even when an organization believes it has resolved its immediate crisis, payment "reinforces the economic incentive structure behind cyber extortion" and signals to other criminal groups that large education platforms — or any critical service — can be profitable targets. Law enforcement agencies, including the FBI, have consistently discouraged ransom payments for exactly this reason, warning that paying typically invites double- and triple-extortion attempts down the line.
The data on repeat victimization is genuinely sobering. A CrowdStrike survey found that 93% of organizations that paid ransoms still had their stolen data leaked or sold anyway, and 83% were attacked again. Michael Klein of the Institute for Security and Technology summed up the fundamental problem with the entire premise of a "deal" with a ransomware gang: you cannot trust that a criminal group will keep its word and not turn around and extort the people downstream of the original breach regardless of what was promised. Allison Nixon, a well-known cybercrime investigator, made a related point: it is common for one criminal group's name to be invoked by an entirely different set of attackers riding on its reputation, which means even verifying who you are negotiating with is uncertain.
This wasn't even ShinyHunters' first rodeo with an education platform. The previous year, PowerSchool — another major education technology company — paid a ransom after a breach, only for public school employees in North Carolina to later receive threatening messages from people claiming to still have access to the exposed student and teacher data. A college student was eventually arrested in connection with that follow-on extortion. The Instructure case, in other words, was playing out against a backdrop that already offered a cautionary tale of exactly this kind of broken promise.
"What were they actually supposed to do?"
And yet the counterargument is not simply corporate self-interest dressed up in PR language — it has real substance, and a number of serious people in the security and policy world found themselves making it. Doug Levin, a cybersecurity expert who has closely tracked education-sector breaches, framed the decision as a genuine dilemma rather than a clear-cut mistake: victims of these attacks are caught "between a rock and a hard place." He pointed out that this particular threat actor has, in the past, kept its word with other victims after payment, at least as far as anyone can verify, and argued there is a compelling case that reducing further harm to the millions of affected students and teachers justified taking the deal, even given the uncertainty.
That tension — between the systemic argument ("paying funds future attacks against everyone") and the immediate humanitarian one ("real children's private messages were about to be published, right now, by people we have some evidence honor their promises") — is precisely why this case generated so much more debate than the average ransomware story. It's also why the data is genuinely mixed on what organizations actually do versus what experts recommend: research from Absolute Security found that 57 to 58% of CISOs say they would consider paying a ransom under the right circumstances, despite near-universal public messaging from law enforcement and industry bodies against doing so. The gap between stated principle and practical decision-making under pressure is enormous, and Instructure's choice made that gap impossible to ignore.
The political fallout
The controversy didn't stay contained to security circles. The U.S. House Homeland Security Committee opened an inquiry, with Chair Andrew Garbarino sending a letter to Instructure CEO Steve Daly demanding answers about how the company allowed itself to be breached twice through the same underlying vulnerability, and what categories of data were actually taken. CISA was brought in to assist with the response. Daly, for his part, issued a public apology acknowledging that customers "deserved more consistent communication" during the crisis — an implicit admission that even setting aside the payment question, Instructure's handling of disclosure and communication had fallen short.
Some context for that vulnerability question is genuinely troubling: public reporting suggested the second wave of attacks exploited the same access path involved in the first incident, with some indications pointing to Canvas's "Free-for-Teacher" support ticket environment as a factor. If accurate, that means the most damaging version of this story isn't really about the ethics of ransom payment at all — it's about a company that had a documented vulnerability, addressed it with what the attackers themselves mockingly called "security patches," and got breached again through the same door before the dust had even settled on the first incident.
A debate with no satisfying ending
There's also a regulatory dimension that gives this story staying power. While ransom payments remain generally legal in the United States, the Treasury Department has warned that paying entities tied to sanctioned countries or groups can trigger civil penalties, and other jurisdictions have begun moving toward outright bans — the UK, for example, has barred public sector and critical infrastructure operators from paying ransoms entirely, explicitly to "target the business model that fuels cyber criminals' activities." Whether the US moves toward a similar blanket restriction, especially for sectors like education that handle minors' data at enormous scale, may be one of the more consequential policy questions to come out of this single breach.
What makes the Instructure case worth dwelling on, six months later, isn't that it answers the ransom-payment question. It's that it demonstrates, in painfully concrete terms, why the question still doesn't have a clean answer. Pay, and you may be funding the next attack on someone else's school. Don't pay, and you may be the reason a 14-year-old's private messages end up on a dark web leak site. Both the National Cybersecurity Alliance and the company that just wrote what was almost certainly a very large check to a criminal extortion group can be right about something — and that, more than any single technical detail of the breach, is what makes this one of the most genuinely contested stories of the year.
Comments