The company behind popular education software Canvas has paid a hacking group not to publish stolen student and university data, raising ethical questions over ransom payments to cybercriminals.

Instructure, the maker of Canvas, confirmed it reached an agreement with the hackers. The terms mean that the data was returned to the company and there are digital confirmations of its destruction, but no details on how much money changed hands or if this is true.

The breach affected around 9,000 institutions worldwide, causing disruption during exams and tests in universities across the US, Canada, Australia and the UK. Students like Aubrey Palmer at Mississippi State University found themselves facing a sudden ransom note mid-exam, leading to confusion and stress for both students and professors.

Shiny Hunters, known for hacking organisations and demanding ransoms, has been linked to this breach in addition to others on Jaguar Land Rover and Gucci. Their English-speaking members are believed to be young, operating via encrypted messaging services like Telegram.