Instructure calls it an "incident." That is the word in the press release, in the apology, on the status page, and in the carefully styled blog post that arrived this week explaining how 275 million people had their data quietly relocated by a group called ShinyHunters and then, after a brief negotiation, allegedly destroyed. The company "reached an agreement." That is also a word.
The students are calling it finals week.
We are now several days into the part of the news cycle where everyone reaches for the same vocabulary. "Sophisticated threat actor." "Promptly contained." "We take the privacy of our community seriously." "An undisclosed amount." If you have read one of these statements you have read the others. They run through the same crisis-comms filter and are calibrated to be precisely as informative as litigation will allow, which is to say, barely.
I want to be fair to Instructure. Running a learning management system used by 41% of US higher education and a long tail of K-12 districts is genuinely hard. So is being the only place 9,000 institutions decided, independently and over a decade and a half, to keep the names, emails, IDs, and message histories of an entire generation. It is hard to be that place. It is also a strange thing to have become.
Nobody planned this database. That is the part worth sitting with.
Every individual procurement decision was rational. The platform met the requirements. The price was inside the budget. The references checked out. The SOC 2 report existed. The legal review found nothing alarming, largely because the legal review was looking at a thirty-page software license and not at the structural question of whether an entire sector should be standing on one tile.
Stack 9,000 rational decisions and you get an irrational system. The board meeting where someone asks "are we sure we want to be the eight-thousand-fiftieth district storing student records with this vendor" does not happen, because the board meeting is twenty minutes long and the agenda item is "approve renewal."
The agenda item is always "approve renewal."
A few specifics, in the spirit of being unhelpfully precise.
The compromised data is the boring kind, which is the dangerous kind. No passwords. No Social Security numbers. No birthdates. Just names, school emails, ID numbers, and messages. Exactly enough to build a phishing list keyed to a child's school, to spear-phish the parents using the child's correct teacher and class, and to credential-stuff every other service that kid ever signed up for using that email. A thirteen-year-old does not get to issue a new name. The data outlives the vendor.
The ransom was paid. "An agreement" was reached. The amount is undisclosed, which is corporate for "more than we want our customers to know, less than our cyber-insurance deductible." The hackers say the data was destroyed. We are taking their word for it, the way you take a burglar's word that they returned the spare key.
The notification letters will be polite. They will offer a year of credit monitoring, useful for the adults and ornamental for the children, who do not yet have credit to monitor. The credit monitoring will be provided by a company that has itself been breached. This will not be mentioned in the letter.
The district response will be a memo. The memo will use the phrase "we are working closely with our vendor." This is what districts say when there is nothing else to say. It is the official sound of having no leverage.
None of this is a security failure, exactly. It is a procurement failure with the lights turned off so you cannot see the procurement.