Instructure, the US-based educational technology firm behind the Canvas learning management system, has confirmed it paid an undisclosed sum to cyber criminals to delete student data following a breach. The UK’s National Cyber Security Centre (NCSC) has issued a warning to universities and schools using the platform, urging them to review security measures.

The breach, which came to light on Tuesday, involved unauthorised access to a database containing personal information of students and staff across multiple institutions. Instructure said in a statement that it had “engaged with a threat actor” to destroy the stolen data, but declined to confirm the amount paid or the identity of the criminals.

“We took immediate action to secure our systems and engaged with law enforcement,” the company said. “After careful consideration, we made the difficult decision to pay to ensure the data was permanently deleted.”

The NCSC, a part of GCHQ, described the incident as “concerning” and noted that paying ransoms does not guarantee the destruction of data. “Criminals often retain copies even after payment,” the agency warned. “We advise organisations to focus on prevention and robust backup strategies rather than paying ransoms.”

The breach is the latest in a series of cyber attacks targeting educational institutions, which have become increasingly attractive to hackers due to the sensitivity of student records and often weaker security postures compared to financial or healthcare sectors. In 2023, the UK’s education sector reported a 40% increase in ransomware incidents.

Canvas is used by more than 2,000 universities and schools in the UK, including several Russell Group institutions. The exact number of affected institutions and individuals remains unclear, but Instructure said it was contacting those impacted directly.

Security experts have criticised the company’s decision to pay the ransom. “Paying only emboldens criminals and signals that data can be monetised,” said Dr. Emily Carter, a cybersecurity researcher at the University of Cambridge. “The NCSC’s warning is timely: paying does not solve the problem; it merely kicks the can down the road.”

Instructure maintains that its core systems were not compromised and that the breach was limited to a single database. The company has since patched the vulnerability and implemented additional security controls.

The NCSC has advised institutions using Canvas to ensure they have multi-factor authentication enabled, to review access logs, and to maintain offline backups of critical data. The agency also reiterated its guidance that paying ransoms should be a last resort, and only after consultation with law enforcement.