> I sure as fuck am concerned about how much it’s going to cost the district to move to another provider

Does Canvas have cybersecurity insurance?

Not at all; standard IR procedure is scope -> containment -> eradication -> recovery. There is a fog right now; we don't know all the details. It seems to me that it's just as likely they weren't fully kicked out before or that the initial vulnerability wasn't remediated. You can't recover until the threat actor has been removed.