The parent company of Canvas, the online learning platform used by hundreds of thousands of Australian students and teachers, has struck a deal with the cybercriminal gang that stole personal data from an estimated 275 million users and sought a $13 million ransom.
Instructure confirmed early Wednesday AEST that it had “reached an agreement with the unauthorised actor” responsible for the attack, which crippled Canvas in the final weeks of the first semester and took roughly 3.65 terabytes of student and staff records from 8809 educational institutions worldwide – including at least 122 in Australia.
The company stopped short of confirming a ransom payment, saying only that the stolen data had been returned alongside “shred logs” – digital confirmation the hackers had destroyed any remaining copies.
“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind,” Instructure said.
Australian victims include the University of Melbourne, University of Sydney, University of Technology Sydney, RMIT, Western Sydney University, the University of Newcastle, Australian Catholic University and the Victorian and Queensland Departments of Education. Private schools including Melbourne Grammar, Cranbrook School in Sydney and Brisbane Grammar are also among Instructure’s local customers.
Signs of the hack emerged last week and many institutions had already restored access to Canvas before the deal was reached.
Cybersecurity consultant Luke Irwin, of Aegis Cybersecurity, said the hacking group ShinyHunters had been seeking a ransom of about $US10 million, suggesting any eventual payment was likely “in the high single-digit millions.” Instructure is owned by US private equity giant KKR, and Irwin said the incident may yet surface through KKR’s investor reporting or the US Securities and Exchange Commission’s mandatory cyber-incident disclosures.
The hackers accessed student ID numbers, email addresses, names and private Canvas messages, and threatened to dump the trove publicly unless schools paid up. Instructure claims no passwords, dates of birth, government identifiers or financial information were taken.
Alastair MacGibbon, Australia’s former cyber tsar, said Instructure’s carefully worded statement was almost certainly code for a paid ransom, and one that demanded a far better explanation.
“Reaching an agreement, I would suggest, is code for paid,” he told this masthead. “I’m not against paying in certain circumstances. If someone has locked up a hospital system or a power company, or something that will have catastrophic consequences for human lives or for the survival of an economy, then payment has to always be a potential option. But in this type of circumstance, most people would question how an organisation would think that was justifiable.”
He warned that victims, including students, should not assume the data was now safe. “Criminal assurances that they won’t on-sell the information, or that they’ve deleted it, have been proven time and time again to be inaccurate, or lies.”
MacGibbon said the involvement of children might be a “semi-valid argument” for negotiating, but Instructure could not simply leave it implied. “You can’t just say we’ve reached an agreement with the criminals and they’ve told us they’re not going to release anything. It’s just not acceptable.
“You’ve got to come out and give justifications.”
Instructure was contacted for further comment. It is legal in Australia to pay a ransom to hackers, as long as they are not a sanctioned entity.
A class action filed in a US federal court in Utah last week alleges Instructure failed to adequately protect its platform and made itself “easy prey for cybercriminals”. ShinyHunters previously breached the company in 2024 via third-party software, and this time exploited a flaw in Canvas’ Free-for-Teacher program, which allowed educators to sign up without institutional verification.
The incident, which is believed to be the largest education-sector breach on record, will reignite debate about Australia’s reliance on overseas software platforms holding sensitive data on millions of children.
Traditionally, MacGibbon noted, ransom demands “will exceed what gets paid”, with significant discounts negotiated, but he said the size of any payment was beside the point.
“This is an organisation most people have never heard of that actually serviced 8000 institutions globally,” he said. “A single compromise, reasonably unsophisticated, leads to harm against millions of people. It highlights the complexity of supply chains. It should be a wake-up call for anyone else that operates an IT helpdesk or a workforce with access to these types of massive amounts of data.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
David Swan is the technology editor for The Age and The Sydney Morning Herald. He was previously technology editor for The Australian newspaper.Connect via X or email.