Major Cyberattack on Swedish Universities via Canvas Platform Halted After Hacker Agreement

In May 2026, a significant cybersecurity incident impacted over 30 Swedish universities using the Canvas learning platform, operated by the American company Instructure. The hacker group Shinyhunters orchestrated the attack, threatening to leak vast amounts of sensitive personal data unless an agreement was reached with Instructure. The breach compromised personal information such as names and email addresses, affecting prominent institutions including Chalmers University, KTH Royal Institute of Technology, Uppsala University, and Luleå University of Technology (LTU).

According to official reports, the university data leak was successfully stopped following Instructure's agreement with the hackers, leading Shinyhunters to remove the threat from their website. However, concerns remain about the reliability and transparency of this settlement. Eric Leijonram, director general of the Swedish Authority for Privacy Protection (IMY), expressed strong criticism of negotiations with cybercriminals. He warned that such ransom dealings rarely yield positive results and may expose institutions to further risks. Leijonram emphasized that paying off hackers could encourage more criminal activity and never guarantees the stolen data won't be released again.

While Instructure disclosed it had reached terms with the hackers to end the data leak, the specifics of this agreement remain unclear. IMY's leadership highlighted that companies often lack true control in these situations, underscoring the complex challenges universities face in protecting sensitive data against increasingly sophisticated cyber threats.

This incident has raised alarm across Sweden's educational sector about cybersecurity preparedness and response strategies. The attack underscores the vulnerability of digital platforms used by academic institutions and the dire consequences of data breaches on personal privacy.

The authorities and university representatives have not disclosed more details about the data compromised or the conditions of the hackers' removal of the threat. Nonetheless, this case is prompting a reexamination of cybersecurity policies and crisis handling amid growing ransomware and data leak attacks globally.