In the ever-evolving landscape of cybersecurity, the question of whether companies should concede to ransom demands from hackers looms large. As illustrated by a recent attack on the educational platform Canvas, operated by the US-based firm Instructure, the stakes are alarmingly high. With hundreds of millions of student records potentially compromised, organisations grapple with the difficult decision of whether to pay hefty ransoms to regain control and protect sensitive data.
The Canvas Attack: A Case Study in Cyber Extortion
Following a week of significant disruptions and data breaches affecting educational institutions worldwide, Instructure revealed that it had “reached an agreement” with the hacking group ShinyHunters, which claimed responsibility for the attack. While the company has not explicitly confirmed that a ransom was paid, experts interpret the phrasing as an indication that negotiations likely involved financial compensation.
Instructure’s systems were exploited through a vulnerability in its Free for Teacher software, leading to the theft of an alarming 3.6 terabytes of data. This data included personal information from around 275 million students and staff across 9,000 schools. In the aftermath, several universities in Australia, including RMIT and the University of Technology Sydney, were forced to extend assignment deadlines as their systems remained inaccessible.
Navigating the Decision to Pay
The decision to pay a ransom remains contentious. Governments in the UK, US, and Australia typically advise against it, highlighting the risks associated with funding criminal enterprises. A report from Akamai, a leading cybersecurity firm, underscores that abstaining from ransom payments could diminish the effectiveness of such attacks, potentially dissuading cybercriminals from pursuing this avenue.
In Australia, the legal implications of paying ransoms are particularly complex. Under the autonomous cyber sanctions law, payments to designated attackers could lead to criminal charges, although each case is evaluated individually. Recent statistics reveal that, as of January 2026, 75 businesses with annual revenues exceeding $3 million had opted to pay ransoms, with the average payment in the country reported at $711,000—down from $1.35 million the previous year.
The Trust Factor: Risks of Engaging with Cybercriminals
The central dilemma for companies like Instructure is whether paying a ransom will actually prevent the release of sensitive data or further attacks. Darren Hopkins, head of cyber at McGrathNicol, emphasises the inherent risks in dealing with criminal organisations. “You are taking them at their word that they will commit to those outcomes,” he notes, acknowledging the precarious nature of such agreements.
The question frequently posed in boardrooms, according to Hopkins, is whether paying a ransom will stop the exposure of data. The dilemma hinges on trust—how reliable can a hacker be when their business model relies on deception? Experts like Luke Irwin from Aegis Cybersecurity argue that it is in the interests of groups like ShinyHunters to maintain a façade of good faith to encourage future victims to comply. However, Hopkins warns that organisations cannot fully rely on such assurances, as criminals may still retain copies of stolen data.
Preparing for the Inevitable
Despite the bleak landscape, there is a silver lining. Businesses are increasingly enhancing their cybersecurity protocols, making them less reliant on paying ransoms to recover from attacks. The focus is shifting from reactive measures to proactive strategies that aim to thwart breaches before they occur. While Instructure’s rapid engagement with ShinyHunters suggests a need for immediate recovery, many organisations are striving to bolster their defences and reduce vulnerabilities.
As cybersecurity threats continue to escalate, firms must balance the immediate need to protect data and user privacy against the long-term implications of engaging with cybercriminals.
Why it Matters
The dilemma of ransom payments encapsulates a broader concern within the realm of cybersecurity: how to navigate the treacherous waters of digital extortion while safeguarding sensitive information. As incidents like the Canvas attack become more commonplace, organisations must develop comprehensive strategies that not only address immediate threats but also mitigate the risk of future attacks. The choices made today will shape the landscape of cybersecurity for years to come, highlighting the need for robust policies, legal frameworks, and ethical considerations in an era where the line between security and compliance is increasingly blurred.
