The Curated Daily
← Back to the archiveDispatch · 6 min read
Dispatch

Instructure pays ransom to Canvas hackers

By the editors·Tuesday, May 12, 2026·6 min read
A robotic hand reaching into a digital network on a blue background, symbolizing AI technology.
Photograph by Tara Winstead · Pexels

The educational technology (EdTech) landscape recently experienced a significant shock. Instructure, the company powering the widely-used Canvas Learning Management System (LMS), confirmed it was the victim of a sophisticated cyberattack in December 2023. More alarming, reports surfaced indicating Instructure paid a ransom to the hackers, the Clop ransomware group, to prevent the release of sensitive data. This incident raises critical questions about cybersecurity in EdTech, the financial implications for Instructure and its users (schools and universities), and the broader risks associated with data breaches. This article will unpack the details of the hack, analyze the financial consequences, and explore what this means for the future of data security in the education sector.

Understanding the Instructure/Canvas Hack

The cyberattack, attributed to the Clop ransomware group – a prolific player known for exploiting a vulnerability in the MOVEit Transfer file transfer software – targeted Instructure's systems and compromised a significant amount of data. The group claimed to have stolen data from over 800 organizations using MOVEit, and Instructure was unfortunately among them.

Initially, Instructure downplayed the severity of the incident, stating only that a “security incident” had occurred. However, subsequent investigations revealed the scope of the breach was far more extensive.

What data was compromised?

  • Student Data: Names, email addresses, and user IDs. While the extent of personally identifiable information (PII) varies, this information is valuable to cybercriminals.
  • Institutional Data: Information related to Canvas’s administrative functions and potentially financial data associated with subscription services.
  • Employee Data: Data related to Instructure employees, potentially including personal information and login credentials.
  • Source Code: Although not officially confirmed, there were concerns around potential theft of Canvas’s underlying code, which could be exploited to create more sophisticated attacks.

The Ransom Payment: A Difficult Decision

The revelation that Instructure paid a ransom to Clop sparked considerable debate. While Instructure hasn’t publicly disclosed the exact amount, estimates range from several million dollars. The company justified the decision as a measure to prevent the public release of stolen data, protecting the privacy of students and institutions.

However, paying ransom is a controversial strategy. Here's a breakdown of the pros and cons:

Pros:

  • Data Containment: Prevents sensitive data from being leaked online, minimizing potential harm to students and institutions.
  • Reputational Damage Control: Reduces the negative publicity associated with a large-scale data breach.
  • Operational Continuity: Allows the organization to restore operations more quickly.

Cons:

  • Funding Criminal Activity: Directly supports ransomware groups and incentivizes future attacks.
  • No Guarantee of Data Recovery: Hackers may not delete the data even after receiving payment. They may sell it on the dark web anyway.
  • Attracts Further Attacks: Organizations that pay ransoms are often targeted again.
  • Potential Legal Ramifications: In some jurisdictions, paying ransom may be illegal.

The decision to pay was likely influenced by the sensitive nature of the data and the potential for severe reputational and financial damage if it were to be exposed.

The Financial Implications: For Instructure and Beyond

The Canvas hack isn't just a technical problem; it’s a financial one. The costs associated with this breach are multifaceted and will extend far beyond the ransom payment.

Costs for Instructure:

  • Ransom Payment: As mentioned, estimated in the millions of dollars.
  • Forensic Investigation: Costs associated with determining the scope of the breach, identifying vulnerabilities, and recovering data. This typically involves cybersecurity experts and can run into hundreds of thousands of dollars.
  • Data Recovery & System Restoration: Rebuilding systems and restoring data from backups.
  • Legal Fees: Costs associated with investigating the breach, notifying affected individuals, and defending against potential lawsuits.
  • Reputational Damage: Loss of customer trust and potential decline in subscription revenue. Rebuilding trust requires significant investment in security and public relations.
  • Cyber Insurance Premiums: Expect a significant increase in cyber insurance premiums moving forward.
  • Security Enhancements: Investment in stronger security measures to prevent future attacks.

Costs for Institutions (Schools & Universities):

  • Notification Costs: Institutions using Canvas are responsible for notifying their students and employees about the breach, which can be expensive.
  • Credit Monitoring & Identity Theft Protection: Offering these services to affected individuals. offers comprehensive identity theft protection plans.
  • Increased IT Security Costs: Institutions may need to enhance their own IT security measures as a result of the breach.
  • Potential Lawsuits: Institutions could face lawsuits from students or employees whose data was compromised.
  • Reputational Damage: A breach affecting a widely-used tool like Canvas can erode trust in the institution's ability to protect sensitive information.

The Insurance Factor:

Cyber insurance is playing an increasingly important role in mitigating the financial impact of cyberattacks. However, obtaining comprehensive coverage is becoming more challenging and expensive. Insurance companies are becoming more selective about who they cover and are imposing stricter requirements for security controls. The Instructure breach will likely lead to further tightening of the cyber insurance market.

The Broader Implications for EdTech Security

The Instructure hack is a wake-up call for the entire EdTech industry. The sector has historically been underfunded and under-protected when it comes to cybersecurity. Several factors contribute to this vulnerability:

  • Limited Budgets: Schools and universities often have limited budgets for IT security.
  • Legacy Systems: Many institutions rely on outdated systems that are vulnerable to attack.
  • Lack of Expertise: A shortage of skilled cybersecurity professionals.
  • Complexity of the EdTech Ecosystem: The integration of numerous third-party applications creates a complex security landscape.
  • Attractive Target: Student data is a valuable commodity for cybercriminals.

What needs to change?

  • Increased Investment in Cybersecurity: Schools, universities, and EdTech companies must prioritize cybersecurity and allocate sufficient resources to protect sensitive data.
  • Strengthened Security Standards: Industry-wide security standards and best practices are needed.
  • Improved Data Privacy Regulations: Stronger data privacy regulations are crucial to protect student data.
  • Enhanced Collaboration: Collaboration between EdTech companies, institutions, and government agencies to share threat intelligence and best practices.
  • Proactive Threat Hunting: Regularly scanning systems for vulnerabilities and proactively seeking out potential threats. Consider using a VPN like to encrypt your internet traffic.

Protecting Yourself: What Can You Do?

While the onus is on Instructure and educational institutions to improve security, individuals can also take steps to protect their data:

  • Strong Passwords: Use strong, unique passwords for all your online accounts. Use a password manager like to securely store and manage your passwords.
  • Multi-Factor Authentication (MFA): Enable MFA whenever possible.
  • Be Wary of Phishing Attacks: Be cautious of suspicious emails or links.
  • Monitor Your Accounts: Regularly review your financial accounts and credit reports for unauthorized activity.
  • Update Software: Keep your software up to date to patch security vulnerabilities.
  • Privacy Settings: Review and adjust the privacy settings on your online accounts.

The Instructure/Canvas hack serves as a stark reminder of the growing threat of cyberattacks in the EdTech sector. The financial fallout will be significant, and the long-term implications for data security are substantial. Addressing these challenges requires a concerted effort from all stakeholders – EdTech companies, institutions, government agencies, and individuals.

Disclaimer: This article contains affiliate links. If you click on a link and make a purchase, we may receive a commission at no extra cost to you. This helps support our research and content creation. We only recommend products and services that we believe provide value.

Pass it onX·LinkedIn·Reddit·Email
The Sunday note

If this was your kind of read.

Sign up for the morning email — short, hand-written, and sent only when there's something worth your time.

Free, sent from a person, not a system. Unsubscribe in one click whenever.

Keep reading

The archive →
DispatchMay 12, 2026

Google says criminal hackers used AI to find a major software flaw