Instructure, the parent company of the widely used learning management system Canvas, has confirmed that it paid an undisclosed sum to cybercriminals to secure the deletion of student data stolen in a recent breach. The incident, which came to light on Tuesday, has raised serious questions about the company’s data security protocols and its handling of sensitive information belonging to millions of students worldwide.

The hack, first detected by Instructure’s security team on 8 January, involved unauthorised access to a database containing personally identifiable information (PII) of students and staff across multiple institutions. The compromised data included names, email addresses, and in some cases, academic records and financial information. Instructure declined to specify the number of individuals affected, but sources familiar with the matter estimate the figure to be in the hundreds of thousands.

Rather than pursuing traditional law enforcement channels, the company opted to negotiate directly with the attackers. In a statement issued late on Monday, Instructure acknowledged that it had “made a payment to the threat actor to ensure the deletion of the stolen data and to prevent its further dissemination.” The company declined to disclose the sum, though cybersecurity experts suggest such payments typically range from tens of thousands to several million dollars.

The decision to pay a ransom has divided opinion within the cybersecurity community. Proponents argue that, in cases where data has been exfiltrated, paying can be the quickest way to prevent sensitive information from being leaked or sold on the dark web. Critics, however, contend that such payments incentivise further attacks and undermine trust in institutional cybersecurity.

Dr Eleanor Harris, a senior fellow at the Institute for Cyber Policy at Chatham House, described the move as “a pragmatic but dangerous precedent.” She said: “While the immediate priority must be to protect affected individuals, the long-term implications of paying ransoms are deeply corrosive. It signals that institutions are willing to fund criminal enterprises rather than invest in robust preventative measures.”

Instructure has assured users that it is working with external forensic experts and law enforcement to investigate the breach and has implemented additional security measures. The company also said it had received confirmation from the attackers that the data had been destroyed, though it acknowledged that verifying such claims is notoriously difficult.

The incident comes amid a broader surge in ransomware attacks targeting educational institutions, which have often been criticised for underfunded cybersecurity budgets. According to data from the UK’s National Cyber Security Centre, reports of ransomware in the education sector have risen by 20% over the past year.

For students and staff whose data was exposed, the immediate concern is the risk of phishing and identity theft. Instructure has advised users to be vigilant for unsolicited communications and to monitor financial accounts for suspicious activity. It has also offered credit monitoring services to those affected.

The breach is a significant blow to Instructure’s reputation as a trusted provider of educational technology. Canvas is used by more than 2,000 universities and schools worldwide, including several in the United Kingdom. The company’s stock fell by 4% in early trading on Tuesday.

As the investigation continues, regulators on both sides of the Atlantic are likely to scrutinise whether Instructure’s response complied with data protection laws, including the UK’s Data Protection Act and the EU’s GDPR. The Information Commissioner’s Office has confirmed it is “making inquiries” into the incident.