A software publisher reportedly paid a ransom to hackers to prevent the release of personal information belonging to students and employees of educational institutions such as HEC Montréal, Cégep de l'Abitibi-Témiscamingue, and Concordia University. However, experts fear that this favor granted to the criminals may not have actually protected the stolen data.
Claiming responsibility for this massive data leak, the cyber extortion group ShinyHunters asserted that it possessed student IDs, email addresses, but above all internal messages from hundreds of millions of people who use the Canvas teaching platform around the world.
A true all-in-one teaching solution, the software from the company Instructure allows, among other things, the exchange of messages between students and teachers, the transmission of assignments, and the performance of assessments.
Neither the content of the courses nor the users' passwords have been leaked, Instructure claims.
Among the list of nearly 9000 affected educational institutions published by ShinyHunters, in addition to HEC Montréal, the Cégep de l'Abitibi-Témiscamingue and Concordia University, are world-renowned institutions such as Harvard University and the Massachusetts Institute of Technology (MIT).
Many Canadian primary and secondary schools are also included, as are the University of Toronto and the University of British Columbia.
"I can't believe that through all this data, there isn't a student who sent a photo of their driver's license to someone else... There is a high risk of identity theft," says Stéphane Auger, vice-president of Microfix, an IT and cybersecurity services company in Terrebonne.
The expert believes, however, that the extent of this data breach could be less than ShinyHunters claims, because "attackers will often exaggerate to increase the price of a ransom."
A "temporary public relations solution"
In its press release of May 11, Instructure claimed to have "received all the data" that had been leaked and "a digital confirmation of [its] destruction", after an "agreement with the unauthorized actor".
Two days later, ShinyHunters stated that the company and its customers "will not be targeted or contacted for payments. The data is non-existent."
The experts consulted by La Presse are unanimous in believing that Instructure paid a ransom to ShinyHunters, although neither party has publicly confirmed it.
The "proof" of the deletion of leaked data is not reliable, and Instructure should not trust the word of criminals, says Ryan Zorn, president, CEO and founder of cybersecurity firm CyberAGroup.
"I guarantee you they didn't delete the data," he said. "They kept it because it's very valuable."
Ryan Zorn explains that these criminal groups have many members scattered all over the world, who could all have made a copy of the valuable data.
“Paying [the cyber extortion group] is a temporary public relations solution. That’s all,” continues the man who also founded the cyber investigations unit of the Canadian Security Intelligence Service (CSIS).
Ryan Zorn believes Instructure would have been better off using the money sent to ShinyHunters to prevent future data leaks.
According to Jean Loup Le Roux, president of MAGNA, a cybersecurity company, the data leak and its management are "catastrophic".
Sending money to criminals will make Instructure "a good customer in the eyes of ShinyHunters," encouraging them to monetize their data in the future, he believes.
Although he describes Instructure's decision to pay the ransom as "irresponsible", Stéphane Auger praises the company's good communication, an important component of such a crisis management situation, according to him.
How should we react to the leak?
In an email sent to La Presse , HEC Montréal states that it has invited its community to "be vigilant and report any unusual situation."
Stéphane Auger shares this opinion and recommends that anyone who has used Canvas services exercise extra caution before clicking on links.
He also suggests blocking your credit file at TransUnion and Equifax, a free precaution that prevents criminals from creating new credit cards in your name.
Should educational institutions turn away from Canvas and opt for a competitor? Experts consulted by La Presse believe that this is not necessary, for the time being.
"It's always better to keep an employee who makes a mistake than to fire them, because another employee could make the same mistake," says Stéphane Auger to illustrate the lessons Instructure could learn after the leak.
Origtinal article: https://www.lapresse.ca/actualites/education/2026-06-03/fuite-de-donnees-en-education/payer-une-rancon-aux-pirates-ne-garantit-rien-disent-les-experts.php