There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.

In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.

IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.