NEW DELHI — Concerns over digital security in education systems have intensified after Instructure, the U.S.-based company behind the widely used Canvas learning platform, reached an agreement with hackers following a major cyberattack that disrupted thousands of colleges and universities globally, according to multiple reports.
The incident has raised fresh questions about the resilience of systems that handle sensitive student data, including exam records and answer sheets stored on cloud-based education platforms.
Instructure, which operates Canvas LMS, confirmed that it reached an agreement with the hackers behind an April cyberattack that reportedly affected about 9,000 institutions across the United States, Canada, Australia and the United Kingdom.
Reports said the breach caused widespread disruption, including interruptions during exams after the Canvas platform went down.
The attackers claimed to have stolen about 3.5 terabytes of student and institutional data and threatened to publish it online unless a ransom was paid.
According to reports, Instructure said the hackers claimed to have deleted the stolen data and assured the company that customers would not face further extortion under the agreement.
The company has not confirmed whether any financial payment was made. Cybersecurity experts say such agreements often involve ransom negotiations carried out through encrypted channels.
Instructure said the agreement includes confirmation that the data has been returned, digital verification of its deletion and assurances that affected customers will not be targeted again.
The breach was discovered April 29 and claimed by the ShinyHunters extortion group, which has been linked to several global cyber incidents.
Canvas LMS was affected by both the data breach and a service outage. Instructure said it was investigating a cybersecurity incident involving some user data, including names, email addresses, student ID numbers and messages exchanged among users.
The company said it had found no evidence that passwords, dates of birth, government identification numbers or financial information were accessed. (Source: IANS)
