A massive cyberattack on the education platform Instructure has triggered fresh debate over whether companies should ever pay ransomware hackers to protect stolen data. The attack targeted Canvas, a learning platform used by schools and universities around the world. The breach disrupted online services for days and exposed the personal data of millions of students and staff members. After the outage, Instructure announced it had reached “an agreement with the unauthorised actor” responsible for the attack. The company did not directly confirm that a ransom was paid. However, cybersecurity experts believe the wording strongly suggests some form of payment or settlement took place. The hacking group ShinyHunters claimed responsibility for the attack. The group reportedly stole about 3.6 terabytes of data linked to around 9,000 schools and 275 million students and staff worldwide. The stolen information reportedly included names, email addresses, student ID numbers, and messages stored on the platform. In Australia, several universities and schools were affected by the attack. Students at institutions including RMIT University and University of Technology Sydney faced delays and assignment deadline extensions because they could not access the system. Hackers also defaced some school login pages to alert users about the breach. Instructure later confirmed the attackers used a weakness in its Free for Teacher software to gain access. The company said the stolen data had been “returned” as part of the agreement with the hackers. Instructure also said it received “digital confirmation of data destruction” through technical shred logs, which are reports showing files were supposedly deleted permanently. Still, cybersecurity experts warned that companies can never fully trust criminals to destroy stolen information. Darren Hopkins from McGrathNicol said the company’s statement appeared carefully written to avoid openly admitting a ransom payment. Hopkins explained that ransomware groups depend on victims believing they will keep promises after payment. Otherwise, companies would stop paying altogether. “The business model needs them to show they are honest,” Hopkins said while discussing how hackers try to maintain trust among future victims. However, he warned there is no way to verify whether hackers truly destroy all copies of stolen data. “They will show you what you need to see so you’ll make your payment,” Hopkins said. “You don’t know if they kept copies.” Cybersecurity expert Luke Irwin from Aegis Cybersecurity estimated the ransom demand may have reached $10m. He said the amount could have been negotiated down if a payment was made. Irwin also noted that companies often face difficult choices after large-scale attacks. Businesses must decide whether refusing payment could lead to more harm through public data leaks. Governments in countries including Australia, the United States, and the United Kingdom strongly advise companies not to pay ransomware demands. Officials argue that payments encourage more cybercrime and help fund criminal operations. Experts also warn there is no guarantee that paying attackers will stop future threats or prevent stolen data from being shared online. Australia introduced mandatory ransomware payment reporting rules in 2025. Under those laws, businesses with annual turnover above $3m must report ransom payments to the government. By January 2026, Australian authorities had recorded 75 businesses making ransomware payments. The government does not publicly reveal the amounts paid. A report from McGrathNicol found that the average ransomware payment made by Australian companies dropped to about $711,000 last year. The average had been $1.35m the previous year. The same survey showed that 64% of businesses had paid a ransom after an attack. More than 80% said they would consider paying if faced with a similar crisis. Experts say many companies are now better prepared for cyberattacks because they maintain stronger backup systems. This means businesses are less likely to pay hackers just to restore access to locked files. Instead, many firms now focus on preventing stolen information from being leaked publicly. The Canvas breach has again highlighted how damaging cyberattacks can become for schools, businesses, and ordinary users. It also shows the growing pressure companies face when deciding whether to negotiate with hackers. While Instructure says it acted to give customers “peace of mind,” experts stress that no agreement with cybercriminals can ever offer complete certainty.