Key Takeaways

- House Homeland Security Committee demands Instructure CEO testify about repeated Canvas breaches
- Hackers used the same vulnerability twice to steal student data and deface login pages
- Instructure paid the ShinyHunters hackers despite FBI recommendations against ransom payments
Congressional investigation underway
U.S. House lawmakers are demanding that Instructure's leadership explain how hackers breached the company's systems twice. The House Homeland Security Committee wants CEO Steve Daly to testify about the attacks that exposed personal data belonging to millions of students worldwide.
Representative Andrew Garbarino, who chairs the committee, sent a letter to Daly this week outlining the investigation. The committee has jurisdiction over government activities related to homeland security, and CISA (the U.S. cybersecurity agency) has been called in to assist with the incident response.
Lawmakers want answers on several fronts. How did hackers break into Instructure's systems repeatedly? What types of data were stolen? How is the company notifying affected schools? And critically, is Instructure coordinating properly with CISA?
Same vulnerability, two breaches
Instructure makes Canvas, a widely used school information portal. The company has faced sharp criticism for its handling of the attacks. Most damaging: the hackers exploited the same vulnerability both times. First, they stole sensitive student data. Then they used the same flaw to deface school login pages.
“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”
— Representative Andrew Garbarino, House Homeland Security Committee Chair
Garbarino's letter specifically cited TechCrunch's reporting on the breaches. He wrote that the second breach by the same hackers raises "serious questions about the company's incident response capabilities and its obligations to the institutions and individuals whose data it holds."
Instructure paid the hackers
This week, Instructure confirmed it "reached an agreement" with the attackers. The company claims the hackers provided evidence they deleted the stolen data. A representative for the ShinyHunters hacking group told TechCrunch they would not continue to extort Instructure or its customers. They declined to say how much the company paid.
Full coverage of Instructure's controversial ransom payment decision
Security experts have long warned against paying ransoms. The payments fund future attacks. And hackers often keep stolen data even after claiming to delete it, hoping to extort victims again later.
No response from Instructure
Instructure has not said whether it will respond to the committee's letter or if Daly will testify. Company spokesperson Brian Watkins did not respond to TechCrunch's request for comment.
The committee's investigation puts Instructure in an uncomfortable position. Educational institutions trust Canvas with student data. That trust depends on the company's ability to protect that data. Two breaches using the same vulnerability suggests something went wrong with Instructure's security practices or incident response.
Logicity's Take
What happens next
The House Homeland Security Committee investigation will likely proceed regardless of whether Instructure cooperates voluntarily. Congressional committees have subpoena power. If Daly declines to testify, lawmakers can compel his appearance.
For schools using Canvas, the investigation may reveal more about what data was stolen and how Instructure plans to prevent future breaches. For the broader education technology industry, this case could set precedents for how vendors are expected to handle cyberattacks.
Frequently Asked Questions
What data was stolen in the Instructure Canvas breach?
Instructure has not disclosed the full scope, but the breaches exposed personal data belonging to millions of students worldwide. The exact types of data taken are among the questions Congress wants answered.
Did Instructure pay a ransom to the hackers?
Yes. Instructure confirmed it "reached an agreement" with the ShinyHunters hackers. The company claims the attackers provided evidence they deleted the stolen data, though the ransom amount was not disclosed.
Why is Congress investigating the Canvas data breach?
The House Homeland Security Committee has jurisdiction over government activities related to homeland security. CISA's involvement in the incident response brings it under the committee's oversight.
How did hackers breach Instructure twice?
The hackers exploited the same vulnerability both times. First to steal student data, then to deface school login pages. This failure to patch a known flaw is a central focus of the congressional investigation.
Need Help Implementing This?
Source: TechCrunch / Zack Whittaker
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in Trending Tech
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.



