Canvas Hackers Agree to Delete Stolen Student Data in Ransomware Recovery

In a major cybersecurity incident that disrupted final exams for thousands of students, the company behind the Canvas online learning platform negotiated with hackers to delete stolen data. The attack, which targeted the widely used educational system, raised concerns about academic integrity and personal privacy. Below are key questions and answers explaining what happened and what it means for students and educators.

What exactly happened in the Canvas cyberattack?

In late 2024, hackers breached the servers of Instructure, the company that owns Canvas, stealing sensitive data including student records, login credentials, and possibly exam content. The timing was particularly damaging—during final exams for many colleges and universities. The attackers used ransomware to encrypt files and then demanded payment, threatening to leak the data online. This forced widespread cancellations and delays of exams, creating chaos for students and faculty alike.

Who were the hackers and what did they demand?

While the group's identity hasn't been officially confirmed, cybersecurity experts suspect a well-known ransomware gang, possibly linked to Eastern Europe. Their initial demand was a multimillion-dollar payment in cryptocurrency, along with a promise to delete the stolen data if paid. The attackers leveraged the urgency of finals week to pressure Instructure into negotiating quickly, knowing any leak could compromise academic records and personal information for millions of users.

How did Instructure respond and what deal was made?

Instructure confirmed it entered negotiations with the hackers and eventually struck a deal. The company paid an undisclosed ransom, likely in cryptocurrency, in exchange for the attackers providing a decryption key and deleting all stolen files. The company also worked with cybersecurity firms to verify that the data was indeed removed from the hackers' servers. A spokesperson stated the priority was protecting student privacy and ensuring the platform could resume operations safely.

What impact did this have on students and final exams?

The attack caused immediate disruptions: many institutions had to postpone or cancel finals, switch to paper-based exams, or use alternative assessment methods. Students reported stress and confusion, particularly those whose grades depended on online submissions. Some universities offered extended deadlines or pass/fail options. The incident highlighted the vulnerability of educational technology systems, especially during critical academic periods.

Is the stolen data now safe?

According to Instructure, the hackers have certified that all stolen data has been deleted. However, cybersecurity experts caution that complete trust is impossible—there's always a risk that copies may have been stored elsewhere or sold before deletion. The company has hired external auditors to review the process. Affected users are advised to change passwords and monitor accounts for suspicious activity. Legal actions against the hackers are unlikely due to jurisdictional challenges.

What measures is Canvas taking to prevent future attacks?

Instructure has committed to a comprehensive security overhaul, including enhanced encryption, multi-factor authentication for all accounts, and regular penetration testing. The platform will also adopt zero-trust architecture to limit access to sensitive data. Additionally, the company plans to invest in cyber insurance and a dedicated incident response team. Students and institutions can expect more transparent communication about security updates in the future.