Congress Demands Instructure Testimony After Canvas Breaches
Key Takeaways
- House Homeland Security Committee demands Instructure CEO testify about repeated Canvas breaches
- Hackers used the same vulnerability twice to steal student data and deface login pages
- Instructure paid the ShinyHunters hackers despite FBI recommendations against ransom payments
Congressional investigation underway
U.S. House lawmakers are demanding that Instructure's leadership explain how hackers breached the company's systems twice. The House Homeland Security Committee wants CEO Steve Daly to testify about the attacks that exposed personal data belonging to millions of students worldwide.
Representative Andrew Garbarino, who chairs the committee, sent a letter to Daly this week outlining the investigation. The committee has jurisdiction over government activities related to homeland security, and CISA (the U.S. cybersecurity agency) has been called in to assist with the incident response.
Lawmakers want answers on several fronts. How did hackers break into Instructure's systems repeatedly? What types of data were stolen? How is the company notifying affected schools? And critically, is Instructure coordinating properly with CISA?
Same vulnerability, two breaches
Instructure makes Canvas, a widely used school information portal. The company has faced sharp criticism for its handling of the attacks. Most damaging: the hackers exploited the same vulnerability both times. First, they stole sensitive student data. Then they used the same flaw to deface school login pages.
“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”
— Representative Andrew Garbarino, House Homeland Security Committee Chair
Garbarino's letter specifically cited TechCrunch's reporting on the breaches. He wrote that the second breach by the same hackers raises "serious questions about the company's incident response capabilities and its obligations to the institutions and individuals whose data it holds."
Instructure paid the hackers
This week, Instructure confirmed it "reached an agreement" with the attackers. The company claims the hackers provided evidence they deleted the stolen data. A representative for the ShinyHunters hacking group told TechCrunch they would not continue to extort Instructure or its customers. They declined to say how much the company paid.
Full coverage of Instructure's controversial ransom payment decision
Security experts have long warned against paying ransoms. The payments fund future attacks. And hackers often keep stolen data even after claiming to delete it, hoping to extort victims again later.
No response from Instructure
Instructure has not said whether it will respond to the committee's letter or if Daly will testify. Company spokesperson Brian Watkins did not respond to TechCrunch's request for comment.
The committee's investigation puts Instructure in an uncomfortable position. Educational institutions trust Canvas with student data. That trust depends on the company's ability to protect that data. Two breaches using the same vulnerability suggests something went wrong with Instructure's security practices or incident response.
Logicity's Take
What happens next
The House Homeland Security Committee investigation will likely proceed regardless of whether Instructure cooperates voluntarily. Congressional committees have subpoena power. If Daly declines to testify, lawmakers can compel his appearance.
For schools using Canvas, the investigation may reveal more about what data was stolen and how Instructure plans to prevent future breaches. For the broader education technology industry, this case could set precedents for how vendors are expected to handle cyberattacks.
Frequently Asked Questions
What data was stolen in the Instructure Canvas breach?
Instructure has not disclosed the full scope, but the breaches exposed personal data belonging to millions of students worldwide. The exact types of data taken are among the questions Congress wants answered.
Did Instructure pay a ransom to the hackers?
Yes. Instructure confirmed it "reached an agreement" with the ShinyHunters hackers. The company claims the attackers provided evidence they deleted the stolen data, though the ransom amount was not disclosed.
Why is Congress investigating the Canvas data breach?
The House Homeland Security Committee has jurisdiction over government activities related to homeland security. CISA's involvement in the incident response brings it under the committee's oversight.
How did hackers breach Instructure twice?
The hackers exploited the same vulnerability both times. First to steal student data, then to deface school login pages. This failure to patch a known flaw is a central focus of the congressional investigation.
Need Help Implementing This?
Source: TechCrunch / Zack Whittaker
Manaal Khan
Tech & Innovation Writer
اقرأ أيضاً
رأي مغاير: كيف يؤثر اختراق الأمن الداخلي الأميركي على شركاتنا الخاصة؟
في ظل اختراق عقود الأمن الداخلي الأميركي مع شركات خاصة، نناقش تأثير هذا الاختراق على مستقبل الأمن السيبراني. نستعرض الإحصاءات الموثوقة ونناقش كيف يمكن للشركات الخاصة أن تتعامل مع هذا التهديد. استمتع بقراءة هذا التحليل العميق
الإنسان في زمن ما بعد الوجود البشري: نحو نظام للتعايش بين الإنسان والروبوت - Centre for Arab Unity Studies
في هذا المقال، سنناقش كيف يمكن للبشر والروبوتات التعايش في نظام متكامل. سنستعرض التحديات والحلول المحتملة التي تضعها شركات مثل جوجل وأمازون. كما سنلقي نظرة على التوقعات المستقبلية وفقًا لتقرير ماكنزي
إطلاق ناسا لمهمة مأهولة إلى القمر: خطوة تاريخية نحو استكشاف الفضاء
تعتبر المهمة الجديدة خطوة هامة نحو استكشاف الفضاء وتطوير التكنولوجيا. سوف تشمل المهمة إرسال رواد فضاء إلى سطح القمر لconducting تجارب علمية. ستسهم هذه المهمة في تطوير فهمنا للفضاء وتحسين التكنولوجيا المستخدمة في استكشاف الفضاء.