The potential class action was filed in U.S. District Court in Waco by a nursing student at Baylor University.
The woman, identified only as Jane Doe, says she was studying for a statistics final at a campus library when Canvas, the popular platform used by hundreds of universities to administer many aspects of instruction, went offline. Discussion boards, previous assignments, study guides and other academic necessities all suddenly vanished.
Instructure Inc., the owner of Canvas, had shut down the site due to the data breach, locking out students and teachers.
The May 7 site shutdown wreaked havoc across the nation, causing final exams at universities like Baylor to be rescheduled. Dormitories had to be kept open longer than scheduled and students had to change move-out plans.
One of Doe's finals was rescheduled from May 8 to May 14, delaying her move back to Houston by a week.
Instructure said a criminal hacker group known as the ShinyHunters attacked Canvas through its Free-For-Teacher accounts, stole masses of data and changed pages. The first breach happened April 29, according to Instructure's incident response webpage. The second was on May 7, when hackers started changing pages on Canvas and Instructure shut it down.
The site was restored for some users before the end of that day and the company says it is now fully functional.
The hacker group claimed it had stolen 275 million individual records from nearly 9,000 schools worldwide and would release them if not paid.
Instructure said Tuesday it struck a deal with the hackers to delete the data they pilfered. It did not provide details on the agreement.
According to Jane Doe's lawsuit, student messages that were compromised could include requests for accommodation for disabilities, harassment complaints and other sensitive and potentially embarrassing communications.
Email addresses and student ID numbers were taken. Instructure has said there is no evidence that government ID numbers like a Social Security number, a date of birth or passwords were stolen.
"Those statements do not end the inquiry," said Nicholas Hall, Jane Doe's attorney. "Students, parents, and schools still deserve answers about whose Canvas messages were taken, what sensitive communications were involved, whether any copies were made, and how any claimed destruction was verified."
Cynthia Kaiser, a former deputy director of the FBI's Cyber Division, said the reported deal suggests a ransom was paid.
"What victims must understand is that payment does not end the threat," Kaiser, now senior vice president of the Halcyon Ransomware Research Center, said in a statement. "Stolen data will be used against clients and users for as long as it remains profitable to do so."
Jane Doe's suit accuses Instructure of negligence, breach of implied contract, breach of confidence and unjust enrichment. The potential damages exceed $5 million, according to her lawsuit, which also seeks class-action status.
"Rebuilding trust takes time," Steve Daly, CEO of Instructure, wrote on the company's incident website. "We're going to earn it back through consistent action and honest communication. We're in this for you and your community."
The site's return has been cold comfort to many like Jane Doe, who are seeking legal relief. At least two dozen federal lawsuits involving Instructure or related entities have been filed since May 7, according to an Austin American-Statesman review of court records.
The company declined to comment on the lawsuits, referring questions to its incident response page.
The cyber thieves at the center of the heist have attacked global companies affecting tens of millions of people and extracted voluminous amounts from victims. It has also been the cause of hundreds of class-action lawsuits over the theft of sensitive data. ShinyHunters also was behind a smaller breach of Infrastructure last year.
Pornhub currently faces potential class-action lawsuits over a breach of the viewing history of some of its premium users. AT&T paid $177 million when tens of millions of its customers' personal data was stolen by ShinyHunters. Stellantis, Oracle Corp., Salesforce Inc. and dozens of others have also faced similar allegations and lawsuits.
© 2026 the San Antonio Express-News. Distributed by Tribune Content Agency, LLC.
