The Canvas attack shows how education platforms have become critical infrastructure — and paying hackers still raises major questions about whether student data is truly secure.
Last week’s Canvas cyberattacks caused a finals week nightmare for thousands of students across North America. excluding them from exams, assignments, and coursework – all while pitting them against the infamous ShinyHunters ransomware gang – something most students never expected.
275 million students and teachers on the Canvas by Instructure e-learning platform are at risk of being exposed announced over the weekend Along with “digital confirmation of data destruction” from ShinyHunters themselves, it paid off for experienced hackers.
An undisclosed ransom demand was reportedly paid to ShinyHunters as part of a deal aimed at preventing an imminent leak affecting schools worldwide, from kindergarten classes to universities.
But now the breach is turning into something bigger: a test of whether the more than 8,000 hacked schools can trust a hacker group’s claims that stolen student data was actually destroyed.
Paying hackers doesn’t eliminate risk
While this may be enough to prevent an immediate leak, it doesn’t erase the bigger problem – once student data is stolen, control is lost.
Judging by the December 2024 breach of edtech software provider PowerSchool, the lesson may not have been learned.
After PowerSchool allegedly demanded more than $60 million in ransom, a 19-year-old attacker began using the platform to extort 15,000 North American school districts, despite earlier promises to delete the stolen data.
Fast forward to the Canvas breach. The company says there is no evidence that the stolen data was leaked to the public or kept after the payment agreement.
The canvas appeared corrupted data including full names, email addresses, student IDs, course and enrollment information, plus “billions of private messages” exchanged on the platform.
While passwords, Social Security numbers, financial information, grades, coursework submissions and student files are not exposed, cyber experts say that once student data is in the hands of criminals, “the implications for identity theft, targeted social engineering, and even protection are serious and long-lasting.”
Despite historical evidence ransomware groups are lying, students, parents and schools are still being asked to accept that these cybercriminals will honor their end of the bargain.
Criminal promises are still criminals’ promises
To be fair, extortion groups sometimes do it for a reason. ShinyHunters and groups like it operate for profit. Their entire business model depends on victims believing that payment can mitigate damage, prevent leaks, or stop more extortion.
If hackers regularly take the money and leak data anyway, future victims have less incentive to pay.
In this sense, even criminal groups have a reputation to protect.
But that doesn’t make their promises valid. Data may be copied. Branches may retain files. Archives may resurface months later.
The PowerSchool breach has already shown how difficult it is for schools and families to know whether stolen student data is truly gone after a cyber extortion.
That’s why the Canvas case goes beyond a company apology and a single ransom note.
One platform, millions of students
The attack also exposed how today’s schools have become dependent on centralized cloud platforms to function at all.
Canvas is no longer just a homework portal. For many schools, it’s a classroom, gradebook, assignment tracker, messaging center, exam platform, and student records pipeline.
When initial negotiations failed, ShinyHunters upped the ante, defacing Canvas login pages with threats and targeting individual schools for extortion.
Frustrated by the system’s malfunction, students and teachers lost access to key classroom tools, school officials scrambled to contain the damage, and some schools were forced to cancel graduation exams altogether.
It’s the same troubling lesson seen in the infamous AWS and CrowdStrike breaches from years past: when one widely used platform fails, entire industries can grind to a halt.
The answer is not for schools to abandon cloud platforms altogether. This is unreal. But cyber insiders have long warned that organizations need realistic backup plans before outages occur, rather than post-shutdown solutions.
Because when the world’s classrooms run on a single platform, a cyberattack becomes an education crisis, not just an IT problem.
