"We received digital confirmation of data destruction (shred logs)," Instructure told its customers, and added that "no Instructure customers will be extorted as a result of this incident, publicly or otherwise."
Instructure's assurance, ShinyHunters' claim, and the scale
The reassurance followed a May confrontation between Instructure — the company behind the Canvas learning platform — and the extortion group ShinyHunters, which said it had stolen data tied to 275 million students, teachers, and staff. Instructure told nearly 9,000 affected universities and K‑12 schools that it had "reached an agreement" with the attackers and received shred logs that purportedly showed the data was destroyed.
Security experts: scepticism is the rational default
Analysts who study ransomware and data extortion say the company's assurances will not change the operational reality. Allan Liska of Recorded Future said bluntly, "Do I believe they deleted the data? No. They're criminals and scumbags." Liska invoked a known negotiation dynamic, calling it "The Ransomware Trust Paradox" — extortion groups must at least claim to remove data after a deal so future victims will pay, while often retaining copies.
Cynthia Kaiser, senior vice president at the Halcyon Ransomware Research Center and a two‑decade former FBI investigator, echoed that view: "'We destroyed the data' is a standard line from extortion groups once a payment is made or negotiations conclude, but time after time it has proven untrue." Kaiser pointed to ShinyHunters' "documented history of recycling, reselling, and re‑leveraging stolen data across campaigns" and warned that the incident is unlikely to be the last threat to schools.
Operational calculus, precedent, and the money question
Instructure's wording — "reached an agreement" — was read by some experts as euphemism for payment. Doug Thompson of Tanium estimated that the figure likely sits "somewhere between $5 million and $30 million." The piece notes that Instructure executives never directly said they paid and that the exact demand is unknown, but observers treat the phrase as corporate-speak for capitulation.
That calculus plays out against evolving advice and precedent. "The FBI says don’t pay," the story recounts, and Emsisoft's Luke Connolly said he has "long advocated before for a ban on ransomware payments." Yet firms and institutions often face a midnight decision: avert imminent harm to students, patients, or operations, or adhere to the law‑enforcement guidance against payment.
Past cases sharpen that dilemma. PowerSchool — breached in December 2024 and said to have affected "tens of millions of students" — reportedly paid about $2.85 million in bitcoin for a video the attackers said showed data destruction. Yet months later, PowerSchool customers received individual extortion threats from either the same crew or affiliates. Chainalysis found the percentage of victims paying in 2025 dropped to an all‑time low of 28 percent, but attackers continue to exploit pressure points.
Survey data cited by CrowdStrike shows the tradeoffs: of 1,100 global security leaders polled last summer, 78 percent experienced a ransomware attack in the prior year; of those that paid, 83 percent were attacked again, and 93 percent lost data regardless of payment.
Attack tactics and immediate impacts on schools
ShinyHunters reportedly began compromising Instructure in late April. When a pay‑or‑leak deadline passed on May 6, the crew changed strategy: it injected a ransom message into roughly 330 Canvas school login portals, forcing Instructure to take the platform offline for a day — an outage that coincided with final exams and Advanced Placement testing at many schools. The Register recounts other extortion groups' tactics, from posting preschoolers' pictures and addresses to leaking cancer patients' nude photos and threatening swatting, and cites Mandiant Consulting CTO Charles Carmakal's assessment that ransomware has morphed into "psychological attacks."
Kaiser warned that Halcyon "expects targeted phishing waves against staff, students, and parents over the next six to 12 months using leaked names, email addresses, and Canvas chat context to make the lures convincing."
What this means for technologists, policymakers, and educators
- Technologists and security teams: Expect re‑use of stolen Canvas data in targeted phishing and social‑engineering campaigns, and continued attempts at school‑level extortion after vendor compromises, per Halcyon and Recorded Future.
- Policymakers and regulators: The story underscores the incentive problem Luke Connolly and others highlight — calls for bans on ransomware payments collide with real operational pressures during exams and enrollment seasons.
- Universities and K‑12 schools and procurement leaders: Concentration matters. Doug Thompson noted that "PowerSchool, Infinite Campus, Canvas, Blackboard; those four hold records on something close to every American student," and that switching vendors is costly and disruptive — factors that make education a repeat target.
The public fact pattern is stark and simple: the attackers said they had massive education data; Instructure says it got shred logs and reached an agreement; security practitioners and precedent say deleted data claims by extortionists should be treated with deep scepticism. Whether the shred logs mark the end of this incident or merely the start of new phishing and extortion waves will be the clearest test in the months ahead.




