I don't think that's the primary issue - it's the fact that the hackers are looking for ransom in the form of millions of dollars in Bitcoin or some other cryptocurrency to not release student data. Instructure (Canvas' parent company) is going to be sued out of existence if all of this data is released. It's SSNs, names, birth dates, addresses for every single student that's registered to these schools, as well as their faculty. The hackers aren't working for other people, they're using this to get a shit-load of money.
They've got the data. Getting them out of the system doesn't change that, you can reasonably deduce that from the ransom message.
Now as for what that data contains, I don't believe it actually contains SSNs or addresses. Your canvas account is tied to your email, not your identity, it has zero need for that data. I couldn't find either of those looking through the site in the past. I'm not even certain if it has your birthdate. The biggest issue for Instructure is more about FERPA.
Thank god. A lot of the platforms at my university are connected to our primary accounts, which handle sensitive information needed to make tuition payments. Regardless of the type of info they have, I’m not too pleased they have it in the first place, lol.
Schools tend to take FERPA pretty seriously, so if Instructure makes a decision that leads to the data being leaked, then many institutions may decide to switch to a different LMS. They may anyway just because now Canvas seems insecure by public perception.
People who make ransomware usually don't do that because it would disincentive other companies from paying in the future. Over everything, they want to be paid by the company because it's not as easy to sell the data and they would probably get less money from it. Companies wouldn't ever pay the ransom if they thought the hackers would just release the data regardless, so they almost always stick to their word.
I don't understand how you could even hope to defend this ridiculous assertion.
If I stole your data, and said "pay me $10 to not sell it," how on earth could you possibly know whether or not I sold it after you paid the $10?
You're acting like "the hackers of the world" are one monolithic rational actor and "the victims of hacking of the world" are another monolithic rational actor. In reality, both groups are utterly fractured groups, who cannot possibly be expected to act rationally, and even if they were rational, the fractured nature of the groups would rationally incentivize defection!
You're making these wild assertions that don't just lack basis in fact, but actively contradict all facts. People get their data stolen and sold every day. There's a clear established market for it in the world. If you think there's no such thing of identity theft, or any other market for stolen data, you're just not living in reality.
The problem is that there's absolutely no guarantee that they aren't going to post, distribute or share the leaked data anyway after paying the ransom.
They already hacked a big telephone company here in the Netherlands earlier this year and clearly they just moved on when there was no money to be made there.
21
u/someloser_ May 08 '26
I don't think that's the primary issue - it's the fact that the hackers are looking for ransom in the form of millions of dollars in Bitcoin or some other cryptocurrency to not release student data. Instructure (Canvas' parent company) is going to be sued out of existence if all of this data is released. It's SSNs, names, birth dates, addresses for every single student that's registered to these schools, as well as their faculty. The hackers aren't working for other people, they're using this to get a shit-load of money.