The recent Canvas hack has sparked a crucial debate: should companies pay ransoms to cybercriminals? This incident, affecting millions of students and educational institutions worldwide, raises important questions about data security, ethical dilemmas, and the evolving nature of cybercrime.
The Canvas Hack: A Global Impact
The Canvas hack, orchestrated by the group ShinyHunters, targeted Instructure's education platform, Canvas. This platform is used by thousands of educational institutions, making the breach a significant concern. The hackers threatened to leak sensitive data, including student IDs, email addresses, and personal messages, unless a ransom was paid.
The Ransom Dilemma
The decision to pay a ransom is a complex one. While governments advise against it, many companies ultimately choose to pay, hoping to prevent further data exposure and potential harm. In this case, Instructure's response is intriguing. They claim to have reached an agreement with the hackers, resulting in the "return" of the data and digital confirmation of its destruction.
Expert Perspectives
Darren Hopkins, head of cyber at McGrathNicol, suggests that Instructure's statement is carefully worded, avoiding admission while indicating an agreement. He highlights the nature of ShinyHunters as an extortion group, questioning the likelihood of any other agreement. Luke Irwin from Aegis Cybersecurity estimates the potential ransom amount, emphasizing the risk Instructure took by trusting a criminal organization.
Global Guidelines and Local Laws
Most governments, including the UK, US, and Australia, advise against paying ransoms. However, Akamai's report highlights the potential reduction in attack effectiveness if ransoms are not paid. In Australia, paying a designated attacker could be a criminal offense under cyber sanctions law, adding another layer of complexity to the decision-making process.
Australian Context
Australia's mandatory reporting obligations reveal a concerning trend. As of January 2026, 75 businesses with turnovers of at least $3 million had paid ransoms. The average amount paid was $711,000, a significant decrease from the previous year. This suggests that businesses are becoming more prepared for cyber-attacks but also highlights the willingness to pay to prevent further harm.
The Human Factor
The question of honesty in the criminal world is a fascinating one. Hackers rely on trust to receive payments, but can we trust them to uphold their end of the bargain? Hopkins emphasizes the trust factor, noting that hackers must demonstrate honesty to maintain their business model. However, the risk of dealing with criminals remains, as Hopkins adds, "You can't rely on them to not be criminals."
A Broader Perspective
The Canvas hack and the subsequent ransom debate highlight the evolving nature of cybercrime. As technology advances, so do the methods and motivations of hackers. This incident serves as a reminder of the importance of robust cybersecurity measures and the need for businesses and governments to adapt to these ever-changing threats.
In my opinion, the Canvas hack is a wake-up call for the education sector and beyond. It underscores the critical need for comprehensive data protection strategies and a deeper understanding of the human element in cybercrime. As we navigate these complex issues, one thing is clear: the digital world demands our utmost vigilance and preparedness.
