Instructure, the parent company of the popular online education platform Canvas, this week announced it had paid hackers not to release data stolen during a ransomware attack.

According to the BBC , the Canvas attack affected an estimated 9,000 institutions in the US, Canada, Australia and the UK. The incident is one of the largest educational security breaches on record.

During the breach, many educational institutions were unable to access the Canvas platform. The Harvard Crimson noted that students at Harvard temporarily lost access to Canvas last Thursday, with users redirected from the learning management platform to a message from a hacking group known as ShinyHunters.

In the message, the group claimed it had “breached Instructure” and urged schools on the affected list to contact the group privately to negotiate a settlement before the end of the day on May 12, or risk their data being leaked.

The attack highlights that ransomware and supply chain attacks remain a significant threat, not just to educational institutions but also to organizations. Today’s companies not only need to secure their own systems but also consider the exposure presented by upstream software vendors.

The Canvas Ransomware Attack

The incident took place due to two major intrusions. Instructure’s incident update blog post explained that the company detected unauthorized activity in Canvas on April 29th and revoked the unauthorized party’s access.

Then on May 7, Instructure identified further unauthorized activity, after the actor made changes to the pages that appeared when students and teachers logged into Canvas. The company found out that the actor carried out the activity by exploiting an issue related to its Free-For-Teacher accounts.

“ShinyHunters took down Canvas in two attacks. The first came April 29. Instructure said it was resolved. Eight days later the login page was replaced with a ransom demand and 3.65 terabytes of student data on the table,” ” Amir Khayat, CEO and cofounder of agentic security provider Vorlon, told me via email.

Khayat notes that Canvas runs on 41% of North American higher education institutions. "One breach does not touch one school, it touches every institution that trusted the same vendor. The entry point was a Free-For-Teacher account, a lower-security tier Instructure made available to individual educators. Not a zero-day. A door someone left open,” Khayat said.

The widespread impact of the breach which CNN reports impacted top universities like Columbia, Princeton and Georgetown, put tremendous pressure on Instructure to settle. On May 11, the company updated its incident blog post to announce it had reached an agreement with the “unauthorized actor.”

The vendor noted that under the agreement, the data was returned and that they received digital confirmation of data destruction in the form of shred logs. They also claimed to have received an assurance that no customers would be extorted as a result of this incident. Whether this is the case remains to be seen.

Digital Platforms As A Target

One of the key takeaways from this ransomware attack is that software platforms are becoming a major target for cybercriminals to exploit as part of supply chain attacks.

For instance, Khayat told me that just recently, ShinyHunters breached Vercel through Context.ai, an authorized AI tool with OAuth access to a Vercel employee’s Google Workspace. He says the method is to find the trusted platform, identify its weakest access path and then use the access as a multiplier across every institution connected to it.

At its core, the incident presents a reminder that third party platforms might unlock new capabilities, but they also present potential entry points for attackers to exploit.

“One of the biggest takeaways from this incident is how disruptive cyberattacks have become when organizations rely heavily on a single digital platform for day-to-day operations,” Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told me via email.

“This also reinforces that educational institutions remain highly attractive targets because they store enormous amounts of sensitive personal data and often operate with limited cybersecurity resources compared to large enterprises,” Steinhauer said.

That being said, he argues the lessons from the incident extend far beyond schools, suggesting that any organization that centralizes communication, workflows and sensitive information into cloud-based platforms needs to recognize that a single breach can cascade into “widespread operational paralysis.”

Was This An AI-driven Attack?

As AI models like Claude Mythos demonstrate powerful offensive capabilities, there are growing concerns that hackers can use automation to enable these kinds of attacks. After all, an attacker only needs to discover one vulnerability to cause a breach. “AI is very likely to have been used in this attack to facilitate a faster and easier hack. Humans are still the weak link and we need to learn or ensure that our IT practices are strong and not bypassed,” Joe Hartmann, vice president of research at cybersecurity vendor Malwarebytes, told me via email.

“Most threat gangs are often run by just a few individuals. But they have the funds to hire and build out an entire enterprise with dozens of low pay, single tasks, employees. Given enough time, you can get yourself into almost every network. With AI that time decreased significantly so we will see more of these types of attacks this year,” Hartmann said.

If AI can help threat actors to find exploits to enter target networks faster, defenders will need to work much harder to keep up with best practices like patching. Failure to do so will increase risk.

Ransomware Remains A Threat

Ever since the WannaCry outbreak in 2017, ransomware has remained one of the biggest threats facing modern enterprises. At the end of April, Veeam released its Q1 ransomware report which found that the average ransom payment in Q1 2026 was $680,081, up 15% from Q4 2025.

The study attributes the increase in ransoms paid to the continued success of sophisticated groups targeting large enterprises with data-exfiltration-only incidents.

“What is particularly notable is the shift in attacker behaviour. Rather than a simple move away from volume attacks, ransomware affiliates are increasingly targeting organisations in the 11 to 1,000 employee range, which now accounts for the majority of incidents. This reflects a focus on environments where there is still a perceived higher probability of payment, even as overall resilience improves,” said Magnus Jelen, lead director of incident response UK and EMEA at Coveware told me via email.

At the same time, AI is allowing threat actors to move faster. “The growing use of automation and AI is accelerating both the speed and scale of exploitation, particularly when combined with unpatched vulnerabilities. This reinforces a critical point. Resilience today is not just about recovery, it is about ensuring systems are continuously updated and exposure windows are minimized,” Jelen said.

There are no simple solutions when dealing with supply chain attacks. While companies and educational providers can reduce risk by vetting software vendors and using only approved tools, they ultimately have no power to prevent breaches occurring in a third-party company.

“The most important lesson from the Canvas breach isn’t about Instructure, it’s about the assumptions defenders are making right now. If you’re a Canvas customer, treat every integration credential as compromised, audit your SSO exposure immediately and get a verified re-authorization channel in front of your users before attackers do it for you,” Jeanette Miller-Osborn, field cyber intelligence officer at real-time threat intelligence provider, Dataminr, told me via email.

“More broadly, if you haven’t mapped which of your vendors represent single points of failure at this scale, this breach is your signal to start. The threat actors behind this have a refined, repeatable playbook and they will use it again,” Miller-Osborn said.

What organizations can do is to double down on basic cybersecurity best practices, implementing regular patching to eliminate low level exploits, to make it harder for threat actors to gain direct access to their environments. While this doesn’t address third party risk, it helps build resilience.

The situation becomes more complicated in the case of a breach. Jelen pointed out in reference to Veeam’s research, paying a ransom is a high-risk decision. It doesn’t necessarily guarantee recovery and can lead to repeat targeting. Instead, making data protected and recoverable, with strong patch discipline and data resilience, is the key to limiting risk.