Following a cyberattack on the educational platform Canvas in April 2026, some US schools and universities have reportedly reached out to the hacking group responsible to negotiate the protection of stolen student data. The breach, attributed to a group known as 'BianLian,' exposed personal information including names, email addresses, and academic records.
According to a source familiar with the matter, at least three institutions have initiated direct contact with the hackers through encrypted channels, offering payments in exchange for a promise not to publish the data. The negotiations are ongoing, and the FBI has been notified, though it is not directly involved in the talks.
Canvas, owned by Instructure, confirmed the breach in a statement on April 28, 2026, and has since implemented additional security measures. The company urged affected schools to work with law enforcement rather than engage with criminals. The incident has raised concerns about the vulnerability of educational technology platforms and the ethics of negotiating with cybercriminals.
