Instructure, the parent company of the widely used education platform Canvas, says it has reached an agreement with the hackers behind a global cyberattack that exposed sensitive data belonging to tens of thousands of students and staff in Hong Kong and affected institutions across multiple countries.
The company said the agreement includes the return and destruction of all compromised data obtained during the breach and claimed affected institutions would not face extortion demands tied to the incident.
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company said in a statement posted on its website.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
The breach, which surfaced publicly last Thursday, has quickly developed into one of the most significant cyber incidents to hit the global education technology sector this year. The attack is estimated to have affected about 9,000 institutions worldwide, highlighting the growing vulnerability of cloud-based learning systems that store large volumes of student and staff data.
Instructure said customers should not independently negotiate with the attackers because the agreement already covers all affected organizations.
“This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor,” the company said.
The company added that it would continue forensic investigations into how the breach occurred and promised to share technical findings with customers and cybersecurity professionals to help prevent similar attacks elsewhere. Instructure also announced plans to hold a leadership webinar on Wednesday to brief institutions on the attack and discuss additional measures to “harden the system,” an indication that the company expects heightened scrutiny from universities, regulators, and customers in the coming weeks.
The incident has drawn particular concern in Hong Kong after the city’s Office of the Privacy Commissioner for Personal Data disclosed that the personal information of 72,571 students and staff members had been compromised. Seven Hong Kong educational institutions have formally reported breaches to the regulator, including Hong Kong University of Science and Technology, Hong Kong Polytechnic University, and City University of Hong Kong.
The affected institutions also include Hong Kong Academy for Performing Arts, Hong Kong Art School, Hong Kong Institute of Construction, and Hong Kong Education City, a government-owned educational technology organization. Police in Hong Kong confirmed they had received two reports connected to the incident, raising the prospect of a broader criminal investigation into the attack and the handling of compromised data.
While Instructure did not disclose the nature of the data accessed, breaches involving educational platforms often expose highly sensitive information, including names, email addresses, student records, identification details, internal communications, and login credentials. Cybersecurity experts warn that such information can later be used in phishing campaigns, identity theft operations, or secondary intrusions targeting institutional networks.
The incident emerges as part of the growing cyber risk facing the education sector globally. Universities and schools have become increasingly attractive targets for cybercriminals because they maintain extensive databases of personal information while often operating with fragmented cybersecurity systems and large numbers of users accessing networks remotely.
The rapid digitalization of education following the COVID-19 pandemic significantly expanded the attack surface for institutions worldwide. Platforms such as Canvas became critical infrastructure for teaching, examinations, administration, and communication, concentrating vast amounts of sensitive information in cloud environments.
Cybersecurity analysts say ransomware groups and data-extortion actors are increasingly shifting toward sectors such as education, healthcare, and local government, where operational disruption creates pressure to negotiate quickly.
The unusual aspect of the Canvas incident is the company’s announcement that it reached an agreement with the attackers involving the destruction of stolen data. Firms targeted by cyberattacks do not always publicly acknowledge negotiations with threat actors, partly because such disclosures can trigger regulatory scrutiny and raise questions about whether payments or concessions encourage future attacks.
Instructure did not specify whether money changed hands as part of the arrangement, nor did it identify the group responsible for the intrusion.
The company’s assurance that customers will not face extortion attempts may provide temporary relief to universities already struggling with growing cybersecurity costs and reputational risks. However, experts caution that organizations often have limited ability to independently verify whether stolen data has actually been deleted after cybercriminals gain access to it.
The breach is likely to intensify pressure on education technology providers to strengthen security controls, particularly as regulators across multiple jurisdictions tighten data-protection requirements and impose heavier penalties for inadequate safeguards.
Canvas is one of the world’s largest learning management systems, serving more than 30 million active users globally across institutions ranging from primary schools to universities. The scale of the platform means the breach could have broad international implications if additional institutions disclose exposure in the coming days.