Hackers have given a company that provides educational technology to Wits University until next week to give in to their ransom demand before it leaks students’ personal information.
The university told The Citizen it is one of approximately 8 800 institutions worldwide affected by a global cyberattack targeting the Canvas learning management system.
Wits communications manager Shirona Patel also confirmed on Friday that the university’s learning management platform, Ulwazi, had since been restored.
“Our learning management system is up and running again!” Patel told The Citizen.
Student information potentially exposed
According to Patel, the university was informed about the breach on Thursday.
“The University can confirm that a cybersecurity incident has occurred involving Instructure, the company that manages Canvas, the University’s student learning management system,” Patel said.
“Instructure informed Wits and other universities across the world of a data breach to its systems yesterday, 7 May 2026. This appears to be because of an attack by a cyber extortion group.”
Patel said information that may have been compromised includes student names and email addresses, student numbers and conversations contained within Canvas inboxes.
“At this stage, the full extent of the breach and the volume of data impacted is not yet known. Forensic investigations are currently underway at Instructure, and further details will be shared as information becomes available,” she added.
Wits urged students and staff to remain cautious of phishing attempts or suspicious emails claiming to come from Canvas or the university.
“We urge all students and Canvas users to be alert to unsolicited emails or messages appearing to come from Canvas or the University, particularly any requesting login credentials or personal information.”
“We urge students and users not to click on suspicious links or attempt to download any files associated with this incident,” Patel said.
Hackers threaten to leak data
The cyber extortion group ShinyHunters has publicly claimed responsibility for the breach.
In a message posted on Ulwazi, the group threatened to release the stolen data if a settlement was not negotiated by 12 May.
“ShinyHunters has breached Instructure (again),” the hackers wrote.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked [SIC].”
The group further claimed that administrators had ignored previous warnings and instead attempted “security patches”.
Thousands of institutions affected
International reports suggest the attack has affected thousands of schools, colleges and universities globally.
The hackers claim to have stolen data linked to nearly 9 000 institutions and hundreds of millions of users worldwide.
However, administrator Instructure has reportedly said there is currently no evidence that passwords, dates of birth, government identifiers, or financial information were compromised.
Cybersecurity experts have warned that the breach could expose students and staff to highly targeted phishing scams because attackers may have access to real names, email addresses and private messages exchanged on the platform.
