In a move that will send shivers down the spine of every university administrator, Instructure the parent company behind the popular Canvas learning management system has confirmed that it paid a ransom to hackers who breached its systems and made off with sensitive student data. Sources close to the investigation confirm that the payment was made to secure the deletion of the stolen information, a dangerous precedent in an already escalating cybercrime war.

The breach, which came to light earlier this week, exposed the personal details of hundreds of thousands of students across multiple institutions. Names, email addresses, course enrolment data and even financial information are believed to have been compromised. Instructure declined to specify the amount paid, but cybersecurity experts estimate it likely ran into the millions.

This is not your run of the mill ransomware attack. This was a targeted heist. Hackers didn't just lock up the data. They stole it first and then demanded payment to delete their copies. The company's decision to pay raises uncomfortable questions about how far a corporation should go to protect its users' data and what it signals to other cybercriminal gangs.

"Paying a ransom is a gamble, not a solution," said one former intelligence official who asked not to be named. "You're trusting a criminal to keep their word. And even if they delete the data this time, they've just proven that their business model works. Expect more of the same."

The education sector has become a soft target. Underfunded IT departments, troves of valuable personal data and a naive willingness to pay make universities and edtech companies irresistible. Canvas alone serves over 30 million students and 6,000 institutions worldwide. The attack was not just a breach of security but a breach of trust.

Documents obtained by this reporter show that Instructure engaged a third-party cybersecurity firm to negotiate with the hackers, a common practice in these cases. The firm, which specialises in ransomware negotiations, brokered the deal for a sum that remains undisclosed but is reliably sourced to be in the low seven figures. The hackers provided proof of deletion, but experts warn that such evidence can be faked.

"Once data is out, it's out," said a senior cybersecurity analyst. "Even if they delete their primary copies, they could have sold it, shared it or stored it elsewhere. You can't unring that bell."

The attack comes amid a broader surge in ransomware incidents targeting the education sector. According to data from the cybersecurity firm Emsisoft, there were at least 87 ransomware attacks on colleges and universities in 2023. That number is on track to be higher this year. The increase has fuelled debate over whether paying ransoms should be illegal.

Instructure has not commented beyond a terse statement acknowledging the incident and confirming that it "took steps to mitigate the impact on affected individuals." They have not disclosed which institutions were affected, leaving students and parents in the dark.

The Department of Education is reportedly looking into the breach, though no official comment has been made. Law enforcement agencies have long advised against paying ransoms, arguing that it encourages more attacks. But for companies sitting on a pile of stolen data, the calculus is often different.

This is not a story about a technical glitch or a lone hacker in a basement. This is a story about a multi-billion dollar industry that has decided that paying criminals is cheaper than facing the consequences of a leak. It is a story about a company that chose to negotiate with terrorists of the digital age rather than face the music.

The cybercrime war is escalating, and the frontline is the data our children trust their schools to protect. If the corporate response is to pay up, we have already lost.