**
In the digital age, organisations are increasingly grappling with the precarious question of whether to pay ransoms to cybercriminals. A recent incident involving Instructure, the tech company behind the widely used education platform Canvas, has brought this issue to the forefront, highlighting the tensions between data security and corporate ethics. Following a major ransomware attack that compromised the personal information of millions, Instructure reportedly reached an agreement with the hackers, raising significant concerns about the implications of such payments.
The Canvas Compromise
Instructure’s encounter with the hacking group ShinyHunters serves as a stark reminder of the vulnerabilities that educational institutions face in today’s cyber landscape. The breach, which resulted in the theft of approximately 3.6 terabytes of data, included sensitive information such as student identification numbers, email addresses, and personal messages from nearly 275 million students and staff across 9,000 schools. As the attack unfolded, many affected institutions were forced to grant extensions on assignments due to access disruptions.
The company disclosed that the hackers had exploited a vulnerability in its Free for Teacher software, which enabled them to deface login pages and alert users to the ongoing breach. Instructure’s later announcement indicated that they had “returned” the data and received “digital confirmation of data destruction,” a claim that experts interpret as an indication of a ransom payment, although the company has not explicitly confirmed this.
The Ransom Debate
The dilemma of whether to acquiesce to ransom demands is one that many organisations grapple with, despite widespread advisories against such actions from governments in the UK, US, and Australia. A report by Akamai indicates that while outright bans on ransom payments are uncommon, the consensus remains that paying could potentially exacerbate the problem by further incentivising cybercriminal behaviour.
In Australia, recent legislation raises the stakes even higher. Payments made to designated cybercriminals could lead to prosecution under the autonomous cyber sanctions law. The report indicates that, as of January 2026, at least 75 businesses had paid ransoms, though specifics about the amounts remain undisclosed. A survey of executives revealed that the average ransom paid had fallen to AUD 711,000, down from AUD 1.35 million the previous year. However, a striking 64% of respondents indicated that they had opted to pay a ransom when faced with such dire circumstances.
Trust and Transparency in Cybersecurity
Despite the risks associated with making payments, many organisations, including Instructure, find themselves in a tough spot when dealing with cybercriminals. The head of cyber forensics at McGrathNicol, Darren Hopkins, points out that the nature of these transactions hinges on trust — a commodity in short supply when negotiating with criminals. The fundamental question arises: Can a business rely on the honesty of a hacker?
According to cybersecurity expert Luke Irwin, the criminal’s reputation is crucial; maintaining a façade of integrity may encourage future victims to consider payment. However, the inherent risks remain. Cybercriminals might offer fabricated evidence of data deletion, leaving organisations with no verified assurance that their data is secure after payment.
Evolving Strategies Against Cybercrime
As businesses become more adept at fortifying their cybersecurity measures, the reliance on ransom payments appears to be diminishing. Companies are increasingly inclined to focus on proactive strategies, aiming to prevent attacks rather than simply responding to them. This shift in mindset is critical, as the landscape of cyber threats continues to evolve rapidly.
Instructure’s case illustrates the ongoing struggle within the education sector to balance the urgency of restoring services and protecting user data against the backdrop of ethical considerations surrounding ransom payments. The attack’s resolution, albeit through a controversial agreement, underscores the need for enhanced cybersecurity protocols across the sector.
Why it Matters
The incident involving Instructure and the subsequent ransom negotiations exemplifies the precarious tightrope that organisations must walk in the face of cyber extortion. As incidents of ransomware become more prevalent, the decisions made by companies regarding ransom payments can have far-reaching implications, not only for their operational integrity but also for the broader landscape of cybersecurity. The growing trend towards paying ransoms could inadvertently fuel more aggressive cybercriminal behaviour, making it imperative for organisations to invest in robust security measures and to advocate for comprehensive strategies that address the root causes of these threats.