Instructure, the company behind the popular Canvas school software, has entered into an agreement with hackers who breached its systems not once, but twice. The details of the agreement remain unclear, but it reportedly does not include any guarantees that the hackers will refrain from releasing the stolen data or uphold their end of the bargain. This lack of assurance raises concerns about the potential for further data leaks, particularly given the sensitive nature of the information handled by Canvas. The breach highlights the ongoing struggle to secure educational technology platforms, which often hold vast amounts of personal and sensitive data. Instructure's decision to negotiate with the hackers, rather than pursuing alternative measures, may set a troubling precedent for other companies facing similar situations1. This development matters to cybersecurity practitioners because it underscores the complexities and challenges of responding to data breaches, particularly when dealing with sophisticated and unpredictable adversaries.