Company behind Canvas makes deal with hackers; Says stolen data was destroyed

Published on May 14, 2026 at 10:08 am

Updated on May 21, 2026 at 10:48 am

BySydney Document Shredding Service

Instructure paid hackers to destroy stolen data from 275 million Canvas users.

• What Happened

  ShinyHunters breached Canvas twice in May 2026, stealing 3.65TB of data from 275 million users across 8,809 institutions. Instructure paid an undisclosed sum for data destruction.
• Why This Matters

  You'll understand vendor risk management, data destruction verification challenges, and Australian Privacy Act obligations that apply when breaches expose client information.
• Critical Reality

  No verification method guarantees complete data deletion. Hackers can retain copies despite agreements, making prevention far more valuable than negotiation.

What Happened: The Instructure Data Breach

In late April and early May 2026, Instructure, the education technology company behind the widely-used Canvas learning management system, confirmed it had reached an agreement with cybercriminals who breached its systems.

The hackers claimed to have stolen sensitive data from millions of users, including student records, email addresses, and login credentials.

According to the company’s official statement, the attackers agreed to destroy all stolen data in exchange for an undisclosed settlement. Instructure maintains that no financial information or passwords were compromised during the breach, though the full scope of exposed personal information remains under investigation by cybersecurity experts.

The incident highlights a growing trend in corporate cybersecurity: negotiating directly with threat actors rather than relying solely on law enforcement intervention. Instructure serves over 30 million users globally across K-12 schools, universities, and corporate training programs, making this breach one of the most significant in the education technology sector.

The company detected the unauthorized access in late April 2026 but only disclosed the incident publicly after securing the data destruction agreement.

Timeline of the Security Incident

The breach timeline reveals critical gaps in detection and response.

Instructure detected unauthorized activity in Canvas on April 29, 2026. The company’s security team identified suspicious activity and confirmed data exfiltration shortly thereafter.

By May 3, 2026, the hacking group ShinyHunters publicly claimed responsibility and set a May 6 deadline for Instructure to respond.

On May 7, 2026, ShinyHunters breached Instructure again using the same vulnerability, defacing Canvas login portals at approximately 330 institutions with extortion messages and extending the deadline to May 12, 2026.

The negotiation process concluded with a formal agreement on May 11, 2026. Instructure engaged third-party cybersecurity firms to verify the data destruction, though experts note that confirming complete deletion of stolen data remains technically challenging.

Scope of Compromised Information

The breach is considered the largest educational security breach on record, affecting 8,809 universities, educational ministries, and other institutions worldwide.

ShinyHunters claimed to have stolen 3.65 terabytes of data from approximately 275 million users, including private messages exchanged between students and teachers.

Exposed information included full names, email addresses, institutional affiliations, course enrollment data, and messages exchanged through Canvas. While Instructure claims payment information remained secure due to segregated systems, the breach included substantial personal data that could enable targeted phishing attacks.

Particularly concerning for document security professionals: the breach included metadata about file uploads and sharing patterns within Canvas, revealing which users exchanged sensitive documents and when. For organizations handling confidential materials through Canvas, this metadata exposure creates potential compliance issues under data protection regulations.

Critical Point: Even when file contents remain secure, metadata about document handling patterns can reveal sensitive operational information to unauthorized parties.

The Controversial Data Destruction Deal

Instructure’s decision to negotiate directly with hackers represents a contentious approach that divides cybersecurity professionals.

The company paid an undisclosed sum in exchange for deletion assurances and a non-disclosure commitment from the attackers. According to reporting, the hacking group ShinyHunters had been seeking a ransom of approximately USD $10 million.

This strategy prioritizes immediate risk mitigation over criminal prosecution, a calculation that many security experts view as pragmatic but ethically problematic.

How Data Destruction Agreements Work

These arrangements typically involve cryptocurrency payments to threat actors who provide “proof of deletion” through various verification methods.

Instructure received “digital confirmation” the hackers destroyed any remaining copies, in the form of “shred logs”.

Common verification approaches include allowing the victim company to observe file deletion through screen-sharing sessions, providing cryptographic hashes that confirm data destruction, or engaging neutral third-party auditors to witness the process.

However, cybersecurity researchers emphasize that no verification method can guarantee completeness. The company acknowledged there was no way to be sure the data was erased for good, stating “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control”.

Attackers can retain backup copies, share data with affiliates before deletion, or sell information to third parties despite contractual agreements.

Financial vs. Reputational Calculations

For Instructure, the settlement likely cost significantly less than potential regulatory fines, class-action lawsuits, and long-term reputational damage from a prolonged data exposure.

Under privacy regulations like GDPR and Australia’s Privacy Act, companies face substantial penalties for data breaches—potentially reaching millions of dollars depending on affected user counts and negligence factors.

Under amendments that took effect in December 2022, companies now face penalties for serious or repeated interference with privacy equal to the greater of A$50 million or three times the value of the benefit obtained.

The company’s risk assessment apparently concluded that paying hackers provided better financial and operational outcomes than allowing stolen data to circulate on dark web marketplaces. This calculation becomes particularly relevant for businesses handling sensitive client information, where data exposure could trigger contractual penalties and client defections.

Legal and Ethical Implications

Law enforcement agencies consistently advise against paying ransoms or negotiating with cybercriminals, arguing that such payments fund criminal enterprises and encourage future attacks.

The FBI and Australian Cyber Security Centre maintain that payments don’t guarantee data deletion and may mark organizations as willing to negotiate, inviting repeated targeting.

From a legal standpoint, companies in certain jurisdictions face potential sanctions for making payments to designated terrorist organizations or sanctioned entities. Instructure’s legal team likely conducted extensive due diligence to ensure compliance with anti-money laundering regulations and sanctions laws before proceeding with the settlement.

Regulatory Reality: In Australia, organizations covered by the Notifiable Data Breaches scheme must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.

Implications for Data Security Practices

The Instructure incident exposes fundamental vulnerabilities in how organizations protect sensitive information, particularly in cloud-based systems handling confidential documents and personal data.

For businesses managing client records, financial documents, or proprietary information, this breach offers critical lessons about layered security approaches and vendor risk management.

Vendor Access Controls

The breach originated through a vulnerability regarding support tickets in Instructure’s Free-For-Teacher environment that was exploited—a system with insufficient security controls.

This attack vector has become increasingly common as organizations expand their technology ecosystems with numerous service providers, each requiring varying levels of system access.

The principle of least privilege, which limits user access to only what’s necessary for their specific role, was evidently not rigorously enforced in Instructure’s vendor management protocols.

Organizations should implement strict vendor access policies including time-limited credentials, multi-factor authentication requirements, and continuous monitoring of third-party access patterns. For companies in the document destruction sector like SydneyShred, similar principles apply when managing digital systems that track client service records and destruction certificates—any vendor accessing these systems represents a potential vulnerability point.

Encryption and Data Segmentation

While Instructure claims payment systems remained secure due to network segmentation, the exposure of user data and messages reveals gaps in data protection strategies. Effective security architecture requires multiple defensive layers:

Data-at-rest encryption protects stored information even if attackers gain system access. Data-in-transit encryption secures information during transmission between systems. Tokenization replaces sensitive data with non-sensitive equivalents in operational databases. Network segmentation isolates critical systems from general infrastructure.

Organizations handling confidential documents should encrypt files both in storage and during transmission, ensuring that even if attackers breach perimeter defenses, the stolen data remains unusable without decryption keys stored in separate, hardened systems.

Monitoring and Incident Response

The gap between initial compromise and effective response represents a critical failure in security monitoring. Modern threat detection requires real-time analysis of user behavior, network traffic patterns, and system access logs to identify anomalies indicating potential breaches.

Key monitoring capabilities include:

1. Anomaly detection algorithms that flag unusual data access patterns
2. Privileged access monitoring tracking all administrative actions
3. Data exfiltration detection identifying large-scale data transfers
4. Login behavior analysis spotting credential misuse

Effective incident response plans should define clear escalation procedures, communication protocols, and decision-making frameworks for breach scenarios—including whether negotiating with attackers aligns with organizational values and legal obligations.

Industry-Wide Cybersecurity Trends

The Instructure breach fits within broader patterns affecting organizations across sectors, from healthcare providers to financial institutions to document management companies. Understanding these trends helps businesses anticipate emerging threats and adapt security strategies accordingly.

Rise of Ransomware and Extortion Tactics

Traditional ransomware attacks encrypt victim data and demand payment for decryption keys. Modern variants add a second extortion layer: threatening to publish stolen data unless additional payments are made.

This “double extortion” model combines encryption with data exfiltration—essentially a double whammy of ransomware and extortionware tactics.

Some threat actors now skip encryption entirely, focusing exclusively on data theft and extortion—exactly what occurred with Instructure. As a response to declining ransom payments, one of the developments in the 2026 landscape is the growing prevalence of extortion incidents in which no file encryption takes place at all.

This evolution reflects attackers’ recognition that data exposure often causes more damage than temporary system unavailability, particularly for organizations handling sensitive client information.

Targeting Educational and Professional Service Sectors

Education technology companies, healthcare providers, and professional service firms have become prime targets due to the sensitive personal information they manage and often-limited cybersecurity budgets compared to financial institutions.

These organizations frequently operate on thin margins, making them more likely to pay ransoms to avoid operational disruption and regulatory penalties.

For Australian businesses in service sectors handling confidential client data, this targeting trend demands proportionate security investments. Even small operations managing sensitive information face sophisticated threats previously associated only with large enterprises.

Supply Chain Vulnerabilities

The vulnerability in Instructure’s Free-For-Teacher system that enabled the breach exemplifies supply chain attacks—exploiting trusted third-party relationships or insufficiently secured systems to access target data.

According to Verizon’s Data Breach Investigations Report, 30% of breaches involved a third-party vendor, twice as much as the previous year.

High-profile incidents like the SolarWinds breach and MOVEit Transfer vulnerability have demonstrated how attackers leverage system weaknesses to compromise multiple organizations simultaneously.

Organizations must extend security requirements throughout their vendor ecosystems, conducting regular security assessments of suppliers, contractors, and technology partners. For document destruction companies, this includes vetting providers of scheduling software, customer portals, and certificate management systems.

Industry Insight: According to IBM’s 2024 Cost of a Data Breach report, the average cost of a third-party breach is over $5.08 million—making vendor risk management a critical component of comprehensive security programs.

Protective Measures for Organizations

Based on lessons from the Instructure incident and similar breaches, organizations handling sensitive information should implement comprehensive security frameworks addressing technical controls, operational procedures, and governance structures.

Technical Security Controls

Multi-factor authentication (MFA) should be mandatory for all system access, particularly administrative accounts and remote connections. MFA significantly reduces credential compromise risks, as attackers need both passwords and secondary authentication factors (mobile codes, hardware tokens, biometric verification).

Endpoint detection and response (EDR) systems monitor individual devices for malicious activity, providing visibility into potential compromises before they escalate to full-scale breaches. These tools detect unusual processes, unauthorized software installations, and suspicious file access patterns.

Data loss prevention (DLP) technologies identify and block unauthorized data transfers, preventing exfiltration even when attackers gain system access. DLP systems can flag attempts to copy large volumes of sensitive files, email confidential documents to external addresses, or upload data to unauthorized cloud storage.

Regular security patching eliminates known vulnerabilities that attackers exploit to gain initial access. Organizations should maintain patch management schedules ensuring critical updates deploy within days of release, with automated systems where possible.

Operational Security Practices

Security awareness training addresses the human element, teaching employees to recognize phishing attempts, practice secure password management, and report suspicious activities. Regular training reduces successful social engineering attacks, which remain among the most common initial breach vectors.

Backup strategies following the 3-2-1 rule (three copies, two different media types, one offsite) ensure data recovery capability even after ransomware attacks or destructive breaches. Critically, backup systems must be isolated from production networks to prevent attackers from encrypting or deleting backup data.

Governance and Compliance Frameworks

Privacy impact assessments should evaluate data collection, storage, and processing activities to identify compliance obligations and security requirements. These assessments guide decisions about data retention periods, access controls, and encryption standards.

Vendor security requirements formalized in contracts establish baseline security expectations for third-party service providers. Requirements should address encryption standards, access controls, incident notification timelines, and audit rights.

Cyber insurance policies provide financial protection against breach-related costs including forensic investigations, legal fees, regulatory fines, and customer notification expenses. However, insurers increasingly require demonstrable security controls before issuing policies, making strong security practices both protective measures and insurance prerequisites.

For document destruction businesses like SydneyShred, robust security practices protect not only operational systems but also demonstrate commitment to confidentiality that differentiates professional services from less-secure alternatives. Clients entrusting sensitive documents for destruction expect equivalent digital security protecting service records and destruction certificates.

Lessons for Australian Businesses

Australian organizations face specific regulatory requirements and threat landscapes that shape appropriate security responses to incidents like the Instructure breach. Understanding these local factors helps businesses develop compliance-aligned security strategies.

Privacy Act Obligations

Under Australia’s Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, organizations must assess suspected data breaches and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when breaches are likely to result in serious harm.

An eligible data breach occurs when there is unauthorized access to or disclosure of personal information held by an entity, this is likely to result in serious harm to any of the individuals to whom the information relates, and the entity has been unable to prevent the likely risk of serious harm with remedial action.

Serious harm encompasses physical, psychological, emotional, financial, or reputational damage to affected individuals. For breaches involving authentication credentials, contact information, or sensitive personal data, the serious harm threshold is generally met, triggering notification obligations.

Under amendments that took effect in December 2022, the maximum penalty for a serious or repeated interference with privacy is now the greater of A$50 million, three times the benefit of a contravention, or 30% of domestic turnover.

This regulatory framework makes incident response planning and breach detection capabilities essential compliance requirements, not merely security best practices.

Australian Cyber Security Centre Guidance

The Australian Cyber Security Centre (ACSC) provides the Essential Eight framework—a prioritized list of mitigation strategies designed to protect organizations against various cyber threats.

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organizations are recommended to implement eight essential mitigation strategies as a baseline, known as the Essential Eight, which makes it much harder for adversaries to compromise systems.

These strategies address the most common attack vectors observed in Australian breaches:

1. Application control preventing unauthorized software execution
2. Patch applications addressing software vulnerabilities
3. Configure Microsoft Office macro settings blocking malicious macros
4. User application hardening reducing attack surfaces
5. Restrict administrative privileges limiting damage from compromised accounts
6. Patch operating systems eliminating system-level vulnerabilities
7. Multi-factor authentication protecting against credential theft
8. Regular backups enabling recovery from destructive attacks

Organizations implementing all Essential Eight strategies at Maturity Level Two or higher demonstrate baseline security competence aligned with government expectations. For businesses handling sensitive client data, achieving Maturity Level Three provides stronger protection against sophisticated threats.

Industry-Specific Considerations

Document destruction and data security service providers face unique responsibilities as custodians of client confidential information. A security breach affecting service records could expose which organizations use destruction services, what types of documents they destroy, and destruction schedules—information potentially valuable for corporate espionage or targeted attacks.

Professional service providers should implement security controls proportionate to the sensitivity of client information they manage. This includes encrypting client databases, restricting access to service records, maintaining detailed audit logs, and conducting regular security assessments.

Compliance Reminder: Australian businesses subject to the Privacy Act must implement reasonable security measures to protect personal information—a standard evaluated based on the sensitivity of information, potential harm from misuse, and industry security practices.

For organizations throughout Australia handling confidential materials—whether digitally or physically—the Instructure incident reinforces that comprehensive security requires addressing both technical vulnerabilities and operational procedures. Strong security practices protect client trust, ensure regulatory compliance, and provide competitive differentiation in markets where confidentiality represents a core value proposition.