## ShinyHunters Deadline Closes on Instructure as 275 Million Student Records Remain Unnotified A ransomware deadline issued by the threat actor ShinyHunters to Instructure, parent company of the widely used Canvas learning management system, expires May 12, raising urgent questions about the status of negotiations and the fate of data belonging to approximately 275 million students across 9,000 educational institutions. The breach, which exposed names, email addresses, student IDs, and private messages from schools including Harvard, Columbia, Princeton, and Georgetown, has prompted warnings that absent payment, the stolen data will be released publicly. Instructure has not confirmed whether any ransom was paid, nor has it publicly acknowledged engaging with the attackers. The Canvas platform has resumed normal operations, but the gap between technical recovery and accountability remains wide. Federal privacy law creates a fragmented notification landscape: FERPA does not mandate that schools notify students or families directly following a data breach, leaving notification timelines to state statutes. New York's Education Law 2-d, for example, operates on a 60-day standard, while other states impose shorter or longer requirements. Schools participating in Title IV federal student aid programs face a separate same-day reporting obligation to the Department of Education through Financial Student Aid agreements, though enforcement of this requirement in breach scenarios remains uneven. The consequence is a situation where hundreds of millions of affected individuals have received no direct notice from their institutions, despite the exposure of sensitive academic and personal data. Security researchers note that ShinyHunters has previously leaked data from multiple high-profile breaches when ransom demands went unmet. The pressure on Instructure intensifies as the deadline passes without public confirmation of resolution, leaving affected students, educators, and compliance officers to monitor for unauthorized publication of records with no clear recourse in the interim. --- - **Source**: r/privacy - **Sector**: The Lab - **Tags**: ransomware, data breach, education sector, student data, ShinyHunters - **Credibility**: unverified - **Published**: 2026-05-11 20:48:18 - **ID**: 81944 - **URL**: https://whisperx.ai/en/intel/81944