In an era where cyber threats loom large, the dilemma of whether businesses should pay ransoms to hackers has reached a fever pitch. This week, the US tech company Instructure, known for its educational platform Canvas, found itself embroiled in a significant ransomware attack that compromised the sensitive data of hundreds of millions of students globally. As the stakes rise, companies must navigate the murky waters of cyber extortion, weighing the potential consequences of payment against the risks of non-compliance.
A Major Breach Unfolds
After experiencing a week of service disruptions, Instructure revealed that it had come to an “agreement” with the malicious actors behind the attack—a term that many experts interpret as a euphemism for ransom payment. The notorious hacking group ShinyHunters claimed responsibility, threatening to leak a staggering 3.6TB of data, which included student ID numbers, email addresses, and personal messages from over 275 million users across 9,000 educational institutions.
In Australia alone, the ramifications were felt acutely, with more than two dozen universities and schools impacted. Renowned institutions such as RMIT and UTS had to extend assignment deadlines, as frustrated students found themselves unable to access their course materials.
The Cost of Compromise
Instructure later disclosed that the hackers had exploited vulnerabilities in its Free for Teacher software, allowing them to deface login pages and raise alarms about the breach. The company’s statement claimed that the data had been “returned” following their agreement with the hackers, and they even received “digital confirmation of data destruction” through shred logs—evidence that the compromised information had been irretrievably deleted.
Darren Hopkins, head of cyber at McGrathNicol, characterised Instructure’s communication as skillfully crafted, hinting at a possible ransom payment without outright admission. He remarked, “ShinyHunters is an extortion group. This is what they do. What other agreement will they come up with?”
Cybersecurity expert Luke Irwin offered insights into the financial implications, estimating that ransom demands could reach upwards of $10 million. While he noted the potential for negotiation, he emphasised the inherent risks of dealing with criminal organisations, stating, “You are taking