In a stark reminder of the increasing threat posed by cybercriminals, Instructure, the company behind the popular education platform Canvas, has recently faced a ransomware attack that has left hundreds of millions of students’ personal data vulnerable. After enduring a week of system outages and defaced login pages, Instructure announced it had “reached an agreement” with the unidentified hackers, raising questions about the ethics and implications of paying ransoms in such scenarios.
The Attack on Instructure: A Massive Breach
The attack, attributed to the notorious hacking group ShinyHunters, reportedly resulted in the theft of 3.6 terabytes of sensitive data, including student ID numbers, email addresses, names, and messages from over 9,000 educational institutions and their 275 million students and staff worldwide. The breach not only stalled academic activities but also led to assignment extensions at numerous universities and schools, including RMIT and UTS, as students struggled to access the platform.
Instructure later revealed that the hackers had taken advantage of a vulnerability in its Free for Teacher software, enabling them to deface login pages and alert users to the breach. The firm’s latest statement hinted at a potential ransom payment, though it remains unconfirmed. They claimed the data was “returned” as part of an agreement and provided “digital confirmation of data destruction,” a technical term indicating that the data was irretrievably erased.
The Ethical Quandary: To Pay or Not to Pay?
The debate surrounding whether to pay ransoms has been intensifying, with experts and governments across the globe generally advising against it. The logic is straightforward: paying ransoms can fuel further criminal activities and does not guarantee that the stolen data will remain secure or that the hackers will cease their threats.
As Darren Hopkins, head of cyber at forensic accounting firm McGrathNicol, explains, companies often grapple with the decision to pay hackers. “The question that arises in boardrooms is whether making a payment will truly stop the data from being exposed,” he stated. This uncertainty stems from the inherent distrust of the criminal world.
In Australia, the landscape is particularly complicated. According to Akamai’s 2025 ransomware industry report, while outright bans on paying ransoms are rare, it could be deemed a criminal offence to pay an attacker under certain sanctions. As of early 2026, 75 businesses with turnovers exceeding $3 million had opted to pay ransoms, with an average payment of $711,000, a significant drop from the previous year’s average of $1.35 million.
Navigating the Cybersecurity Landscape
With the rising frequency of cyberattacks, many organisations are bolstering their cybersecurity measures to mitigate risks. However, the reality is that even well-prepared businesses can find themselves at the mercy of hackers. Luke Irwin, a cybersecurity expert at Aegis, speculates that Instructure may have faced a ransom demand upwards of $10 million, although negotiations could have potentially lowered that figure.
The fundamental question remains: can companies trust that paying a ransom will yield the desired outcome? While hackers like ShinyHunters have a vested interest in maintaining an air of credibility to encourage future payments, the risk is still substantial. Hopkins warns that even if hackers show proof of data destruction, there’s no way to validate their claims. “You’re left wondering what else they might have done behind the scenes.”
Why it Matters
As ransomware attacks become increasingly sophisticated and prevalent, the dilemma of whether to pay remains a pressing issue for businesses worldwide. The case of Instructure highlights the precarious balance between protecting sensitive data and inadvertently funding further criminal activity. As organisations navigate this treacherous landscape, the lessons learned from such high-profile breaches will be essential in shaping future cybersecurity protocols and policies, ultimately influencing how the corporate world responds to cyber threats in an age when digital security is paramount.
