Cybersecurity Lessons from the Canvas Data Breach
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “Cybersecurity Lessons from the Canvas Data Breach” inside PodZeus.
The Shared Security Podcast dives into the recent Canvas data breach involving cybercriminal group Shiny Hunters, revealing a controversial settlement where Instructure reportedly paid ransom without confirming it. Despite the company's claim that stolen data was returned and destroyed, the lack of transparency—especially the absence of a public incident disclosure and the delayed release of an incident dashboard—has sparked widespread criticism. Guest Kevin Tackett argues that while no organization can fully prevent breaches, especially when targeted by sophisticated groups like Shiny Hunters, the true failure lies in post-incident response. He emphasizes that organizations must prioritize testing their incident response plans, disaster recovery, and communication strategies—not just technical defenses. The episode reframes the conversation from 'did they get hacked?' to 'how did they respond?' and warns that poor crisis communication can be more damaging than the breach itself. Tackett stresses that ransom payments, while morally and strategically contentious, are often a business decision driven by necessity, not weakness. He draws a parallel to NFTs—digital proof of ownership that can't be verified—highlighting the trust issues in digital promises. The takeaway is clear: organizations should invest in proactive preparedness, not just reactive security.
Organizations must test their incident response and disaster recovery plans regularly—preparedness matters more than prevention.
Even if a ransom is paid, there's no verifiable proof that stolen data was destroyed, making trust in cybercriminals extremely risky.
Instructure's lack of public disclosure and delayed incident dashboard updates damaged trust more than the breach itself.
Mobile apps are now a top attack vector—72% of organizations faced a mobile app security incident last year.
The real vulnerability isn't just technical—it's organizational: poor crisis communication and untested response plans.
…and 3 more takeaways available in PodZeus
Introduction: The Reality of Modern Cybersecurity
The host sets the tone for the episode, emphasizing that cybersecurity is no longer just about technology—it's about human behavior, trust, and preparedness. The episode begins with a strong warning about over-reliance on operating system security and introduces the Canvas breach as a case study in crisis response failure.
The Canvas Breach: A Ransom Settlement Without Admission
“They never denied making a payment. That wording has led many of us in cybersecurity to conclude this was effectively a ransom settlement, even if the company avoided saying so directly.”
The Real Failure: Poor Post-Breach Communication
“What I am going to blame you for and what I am going to hold you accountable for is how you reacted afterwards. The lack of public disclosure, the lack of any information about where they're at.”
Why Ransom Payments Are a Business Decision, Not a Moral One
“You paid so much money and you got this digital artwork that you were the only person. Oh, NFTs. NFTs. I could not remember this. The digital apes. Yeah. Yeah. That's dumb.”
The Path Forward: Invest in Preparedness, Not Just Prevention
The episode concludes with a call to action: organizations must prioritize testing incident response plans, validating backups, and practicing crisis communication. The goal isn't to avoid breaches—it's to survive them with credibility.
“What I am going to blame you for and what I am going to hold you accountable for is how you reacted afterwards. The lack of public disclosure, the lack of any information about where they're at.”
“You will get hacked eventually. That is an inevitability, but how you respond and how you prepare is where you should really be investing.”
“Instructure never denied making a payment. That wording has led many of us in cybersecurity to conclude this was effectively a ransom settlement, even if the company avoided saying so directly.”
Host
Guest
Kevin Tackett
person
Canvas
product
Instructure
organization
Shiny Hunters
other
CISA
organization
NOLA Con
other
Cybersecurity Summit St. Louis
other
WISCon
other
Moodle
product
Blackboard
product
Meta & YouTube Found Negligent: A Turning Point for Big Tech?
Shared Security Podcast • 13m • 4/6/2026
The Dark Web Explained with John Hammond
Shared Security Podcast • 22m • 4/13/2026
Project Glasswing: When AI Becomes the Ultimate Hacker—and Defender
Shared Security Podcast • 28m • 4/20/2026
New York’s 3D Printing Crackdown: Security or Surveillance?
Shared Security Podcast • 15m • 4/27/2026
Fake Party Invites and the Rise of Social Phishing Attacks
Shared Security Podcast • 15m • 5/4/2026
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “Cybersecurity Lessons from the Canvas Data Breach” inside PodZeus.
Start discovering podcast insights today
Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.
No credit card required • 7-day trial • Cancel anytime