Canvas Hack Victims Doubt Data Deletion Claims

Security professionals question whether attackers actually deleted stolen student data as promised

Security professionals are expressing doubt over claims that cybercriminals who breached the Canvas learning management system have deleted stolen student data.

The breach affected Canvas, operated by Instructure, compromising student information across multiple educational institutions. Following the incident, the attackers claimed they had deleted the stolen data.

However, security experts and affected parties remain sceptical of these assurances. The Register reported that aside from Instructure executives, few believe the attackers’ claims about data deletion.

Canvas is widely used by educational institutions globally as a learning management system, hosting sensitive student academic records, personal information, and communication between students and faculty.

The incident highlights ongoing concerns about data handling practices by cybercriminals and the difficulty of verifying claims about data destruction after a breach occurs.

Why It Matters

Educational data breaches present unique compliance and reputational risks for institutions. Student records often contain personally identifiable information protected under various privacy regulations, and breaches can trigger notification requirements and regulatory scrutiny.

The scepticism around data deletion claims underscores a critical challenge for CISOs: there is typically no reliable way to verify whether stolen data has actually been destroyed by threat actors, making post-breach risk assessment complex.

What To Do Now

• Review contracts with educational technology vendors to understand data handling and breach notification procedures
• Assess whether your organisation uses Canvas or similar platforms that may be affected
• Evaluate incident response plans for scenarios involving unverifiable data deletion claims

Sources

• The Register