When Paying Ransoms Becomes Corporate Policy: The Instructure Breach Reveals America's Cyber Governance Crisis
Instructure, the company behind Canvas—used by over 6,000 colleges and universities serving 30 million students—just paid hackers to delete stolen data rather than reporting the breach first and negotiating later. Congress is now investigating, but the bigger story is what this reveals about corporate incentive structures: companies are increasingly treating ransoms as just another cost of doing business, with no requirement to disclose what was paid, what was stolen, or whether the hackers actually kept their word.
Bottom Line
The Instructure breach isn't just about one company's bad week—it's a stress test of America's entire approach to cybersecurity governance, and we're failing. When corporations can pay ransoms in secret, claim victory based on hackers' pinky promises, and face minimal regulatory consequence, we've created a system that funds cybercrime while leaving victims unprotected. Congress can investigate, but without mandatory breach disclosure timelines, ransom payment reporting requirements, and independent verification of data destruction, this will keep happening. The question isn't whether another major platform will face the same choice—it's whether they'll make the same calculation.