In a harrowing incident that has sent shockwaves through the education sector, US tech firm Instructure, the powerhouse behind the widely used Canvas platform, has faced a serious ransomware attack. This breach, which affected the personal data of millions of students and staff, raises pressing questions about the ethics and effectiveness of paying ransoms to cybercriminals. With the stakes at an all-time high, many businesses are grappling with the dilemma of whether to negotiate with hackers or stand firm against their demands.
The Canvas Attack: A Major Breach
After enduring a week of system outages, Instructure announced it had “reached an agreement” with the hackers, a phrase that many experts interpret as a sign that a ransom may have been paid. The notorious hacking group ShinyHunters has claimed responsibility, threatening to leak around 3.6TB of sensitive data, including student IDs, email addresses, and personal messages from over 9,000 educational institutions, affecting 275 million individuals globally.
The ramifications of this breach have been felt acutely in Australia, where numerous universities and schools, including RMIT and UTS, struggled to provide access to their systems, leading to assignment extensions for frustrated students. Instructure later revealed that the hackers exploited a vulnerability in its Free for Teacher software, allowing them to deface various login pages, including that of the University of Texas at San Antonio, to alert users to the breach.
The Price of Data Recovery
Instructure’s recent statements have suggested that they received “digital confirmation of data destruction” from the hackers, a shred log indicating that the stolen data has been irretrievably deleted. However, the ambiguity surrounding their public communication has left many sceptical. Darren Hopkins, head of cyber at McGrathNicol, noted that the language used by Instructure was carefully crafted to imply a resolution without explicitly confirming the payment of a ransom.
Luke Irwin, a cybersecurity expert, estimates that the ransom could have been as high as US$10 million, though it’s likely that negotiations might have lowered this figure. He cautions that dealing with criminal organisations inherently carries risks, as the company must trust that the hackers will honour their agreement.
The Ethical Conundrum of Paying Ransoms
Governments globally, including those in the UK, US, and Australia, generally discourage companies from paying ransoms, citing that doing so could encourage further attacks. According to Akamai’s 2025 ransomware report, a successful ransom payment reinforces the effectiveness of this crime, enticing more hackers to operate in this lucrative space.
In Australia, paying a ransom to designated attackers may even constitute a criminal offence under the autonomous cyber sanctions law. The sanctions office evaluates such payments on a case-by-case basis, reinforcing the message that companies should think twice before negotiating with criminals. Yet, the reality is stark—despite government advice, many firms opt to pay. A McGrathNicol report from November found that 64% of surveyed Australian businesses had chosen to pay a ransom, with an average payment of $711,000.
Preparing for Cyber Threats
The increasing frequency of cyber-attacks has prompted many organisations to bolster their cybersecurity measures. As a result, businesses are becoming less reliant on paying ransoms, focusing instead on preventing further data breaches. This shift represents a growing awareness of the risks associated with negotiating with hackers.
However, the lingering question remains: how trustworthy are these criminals once payment is made? Hopkins frequently encounters this dilemma in boardroom discussions, where the uncertainty of whether a payment will truly safeguard against data exposure is a common concern.
Why it Matters
The decision to pay a ransom can have far-reaching implications, not just for the affected organisation but for the broader landscape of cybersecurity. As more companies face the threat of ransomware, understanding the dynamics of these negotiations is crucial. Paying could potentially fund further criminal activity and embolden hackers, while an outright refusal may leave businesses vulnerable without any guarantees of data recovery. As the cyber threat landscape evolves, organisations must strike a delicate balance between immediate damage control and long-term strategic resilience.
