Canvas (Instructure) Pays Ransom To ShinyHunters: What’s Next?

As discussed in our previous article, on May 7, 2026, Instructure experienced a significant data breach affecting Canvas, an online education management platform utilized by over 8,000 schools and universities across the country. ShinyHunters, a criminal hacking group, claimed responsibility for the attack and posted a ransom note with a deadline of May 12, 2026, for Instructure to negotiate a settlement. On May 11, 2026, Instructure publicly confirmed that it reached an agreement with ShinyHunters to pay an undisclosed ransom. The agreement allegedly covers all affected Instructure customers, eliminating the need for them to individually engage with the hackers. According to Instructure’s statement, as a result of the negotiation:

• The impacted data was returned to Instructure
• ShinyHunters provided digital confirmation that all exfiltrated data was destroyed/deleted (including shred logs)
• ShinyHunters provided assurances that no Instructure customers will be individually extorted as a result of this cyberattack

Instructure did not otherwise disclose the specific terms of the agreement or what it gave the hackers in exchange for the return of the impacted data.

While the agreement reduces the risk of the exfiltrated data being further disclosed, misused and/or publicly disseminated, it may not eliminate the legal obligations of Instructure and its institutional customers. Specifically, impacted customers should investigate the precise categories of data potentially at risk, and work with legal counsel to determine whether notification obligations persist. We are still awaiting more information from Instructure relating to impacted data. Instructure will provide a webinar and will continue to update its customers regarding the incident. We encourage all impacted institutions to continue consulting with counsel regarding their legal obligations in the wake of this breach. We will continue to provide updates as we receive more information.

Our team of attorneys at Bond, Schoeneck & King has extensive experience in higher education, school law and cybersecurity & data privacy. If you are an institution that uses Canvas or that is otherwise affected by this breach and have any questions about this update, please contact Amber Lawyer, Jessica Copeland, Shannon Knapp or any Bond attorney with whom you work regularly.

To monitor updates regarding this breach, visit https://www.instructure.com/incident_update for the latest information from Instructure.

Thank you for associate Courtney Ryan for her assistance in drafting this memorandum.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.