There Are Helpful Lessons From the Hack of Edtech Company Canvas
5/21/26 – – Earlier this month, a web-based learning management system used in 9,000 schools and colleges suddenly went offline. Canvas, which students and teachers rely on for assignments, course materials, grading and communication, was the victim of a massive ransomware attack by the hacking group ShinyHunters.
Disrupting college final exams, the hackers informed Canvas it had broken into its systems and stolen private conversations and personal information on 275 million students, faculty and staff. Students and teachers were getting ransom notes on their computer screens. Pay up or the hackers would begin publicly sharing what they had.
Data breaches are one of the most common crises companies face. According to data analysis firm Statista, last year there were more than 3,300 cases of corporate data compromises in the United States. Increasingly, these incidents involve ransom demands.
Canvas got back online quickly, announcing days after the attack they had “reached an agreement” with the “cyber criminals,” assuring customers:
- The data was returned to us.
- We received digital confirmation of data destruction (shred logs).
- We have been informed that no customers will be extorted as a result of this incident, publicly or otherwise.
- This agreement covers all impacted customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
While neither the company nor ShinyHunters (they have their own website and spokesperson) has commented on financial considerations, cybersecurity expert Rachel Tobac, CEO of SocialProof Security, told The Washington Post, “Typically this type of resolution indicates a ransom has been paid.”
To Pay or Not to Pay
The long-accepted policy in corporate America has been to never pay extortionists, regardless of their threats. Expecting criminals to honor their promises and not come back for more was considered a fool’s errand. Negotiation was out of the question.
But that may be changing as hackers project more operational sophistication, working hard to mimic trust (and get paid more often). Tobac explains: “There are people who are in charge of negotiation for the ransom, people who are in charge of the hacking, people who deal with the press. It’s not dissimilar to a large corporation.”
As the Canvas case demonstrates, there are breaks in the conventional wisdom regarding response strategy. Zero-capitulation absolutists are getting harder to find. The Washington Post reports:
“There’s an ongoing debate over whether to negotiate with cybercriminals. Some argue it perpetuates ransomware attempts — potentially even on the same company — and funds cybercriminal activity. Others say it would be irresponsible not to pay a ransom when hundreds of millions of students, teachers and staff have had their personal data affected. Students could be disclosing personal health information, for example, when asking to postpone an exam. And the schools were also subject to extortion attempts.”
What does Tobac think? “I would say anytime we can limit the number of people harmed, that’s probably a good thing, but do the ends justify the means? I think the jury’s out still on that one.”
The FBI is more certain with its advice:
“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.”
How to Avoid and Prepare for a Ransom Attack
So, what should companies and organizations do to minimize the chances of having to make such a difficult (and expensive) decision? And how can they prepare for the worst?
The importance of robust cyber security and enforcement of safety protocols, especially as AI sharpens hackers’ tools, cannot be overstated. Canvas found that a “Free for Teacher” offering created a wide-open vulnerability exploited by the bad guys. Constant vigilance, troubleshooting, investment in the latest security technology, and training are basic requirements no matter what business you’re in.
Cyber insurance policies can be written to include coverage of ransom payments. Cyber extortion and ransomware riders are expensive and come with strict conditions and monitoring, usually requiring insurer approval before a ransom is paid. Going to school on the Canvas incident, set up a “what-if” meeting with your insurance advisors to review your coverage, their recommendations and protocols.
Make a situation similar to the Canvas experience the focus of your next crisis preparedness drill (hopefully, you’re having these excercises regularly). How would your leadership team respond to this type of pressure? Do you have a well-thoughtout policy in place? What criteria would be used to weigh options? What law enforcement, insurance and legal resources would decision-makers turn to?
And in reviewing your business continuity and cyber incident response plans, make sure you know how you’ll communicate with internal and external audiences. In addition to being timely, helpful and clear, messages and actions must meet state and federal notification mandates. Canvas is likely to face litigation with customers, but its stakeholder communication has generally been good. They’ve hosted customer webinars and posted an excellent “Security Incident Update & FAQs” page worth checking out on the website of Canvas’ parent company Instructure, now owned by investment firm KKR and Dragoneer Investment Group.
My best advice is to take time now to think about what you would do if a cyber gang like ShinyHunters came calling. Did Canvas do the right thing? Better to have that discussion and debate before you’re under pressure and the clock starts ticking. And you may want to stop by the closest FBI field office to establish a relationship and get their thoughts on prevention and preparedness.
In the meantime, monitor the Canvas case to see how things are going. Hopefully, they’ll come out of this with a passing grade.
Crisis Quotient Blog 