New Delhi, June 1 (IANS) The debate over digital security in education systems has intensified after the maker of the widely used Canvas platform reached a deal with hackers following a major cyberattack that disrupted thousands of universities and colleges globally, according to multiple reports.
While concerns are now being raised about the robustness of systems handling sensitive student data, including exam records and answer sheets in cloud storage such as those under the Central Board of Secondary Education (CBSE) ecosystem, the Canvas breach has highlighted the growing vulnerability of large-scale education infrastructure.
US-headquartered Instructure — which operates Canvas LMS — confirmed that it has reached an agreement with the hackers behind April’s cyberattack, which impacted an estimated 9,000 institutions across the United States, Canada, Australia and the United Kingdom.
Reports said the breach led to widespread disruption, including interruptions during exams after the Canvas platform went down.
The attackers had claimed to have stolen around 3.5 terabytes of student and institutional data and threatened to publish it online unless a ransom was paid.
Reports suggest that Instructure said the hackers have claimed to have deleted the stolen data and assured that no customers would be further extorted under the agreement.
While the company has not confirmed any financial transaction, cyber experts note that such agreements are often associated with ransom negotiations conducted through encrypted channels.
According to Instructure, the agreement includes confirmation that the data has been returned, digital verification of its deletion and assurances that affected customers will not be targeted further.
The breach was discovered on April 29 and claimed by the Shiny Hunters extortion group, which has previously been linked to multiple global cyber incidents.
Notably, Canvas LMS, a learning management system, was impacted by both the data breach and service outage.
Instructure said it was investigating a cybersecurity incident involving certain user data, including names, email addresses, student ID numbers and messages exchanged among users.
The company added that there was no evidence that passwords, dates of birth, government identification numbers or financial information were accessed in the breach.
