Congress Demands Instructure Testimony After Canvas Breaches
Key Takeaways
- House Homeland Security Committee demands Instructure CEO testify about repeated Canvas breaches
- Hackers used the same vulnerability twice to steal student data and deface login pages
- Instructure paid the ShinyHunters hackers despite FBI recommendations against ransom payments
Congressional investigation underway
U.S. House lawmakers are demanding that Instructure's leadership explain how hackers breached the company's systems twice. The House Homeland Security Committee wants CEO Steve Daly to testify about the attacks that exposed personal data belonging to millions of students worldwide.
Representative Andrew Garbarino, who chairs the committee, sent a letter to Daly this week outlining the investigation. The committee has jurisdiction over government activities related to homeland security, and CISA (the U.S. cybersecurity agency) has been called in to assist with the incident response.
Lawmakers want answers on several fronts. How did hackers break into Instructure's systems repeatedly? What types of data were stolen? How is the company notifying affected schools? And critically, is Instructure coordinating properly with CISA?
Same vulnerability, two breaches
Instructure makes Canvas, a widely used school information portal. The company has faced sharp criticism for its handling of the attacks. Most damaging: the hackers exploited the same vulnerability both times. First, they stole sensitive student data. Then they used the same flaw to deface school login pages.
“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”
— Representative Andrew Garbarino, House Homeland Security Committee Chair
Garbarino's letter specifically cited TechCrunch's reporting on the breaches. He wrote that the second breach by the same hackers raises "serious questions about the company's incident response capabilities and its obligations to the institutions and individuals whose data it holds."
Instructure paid the hackers
This week, Instructure confirmed it "reached an agreement" with the attackers. The company claims the hackers provided evidence they deleted the stolen data. A representative for the ShinyHunters hacking group told TechCrunch they would not continue to extort Instructure or its customers. They declined to say how much the company paid.
Full coverage of Instructure's controversial ransom payment decision
Security experts have long warned against paying ransoms. The payments fund future attacks. And hackers often keep stolen data even after claiming to delete it, hoping to extort victims again later.
No response from Instructure
Instructure has not said whether it will respond to the committee's letter or if Daly will testify. Company spokesperson Brian Watkins did not respond to TechCrunch's request for comment.
The committee's investigation puts Instructure in an uncomfortable position. Educational institutions trust Canvas with student data. That trust depends on the company's ability to protect that data. Two breaches using the same vulnerability suggests something went wrong with Instructure's security practices or incident response.
Logicity's Take
What happens next
The House Homeland Security Committee investigation will likely proceed regardless of whether Instructure cooperates voluntarily. Congressional committees have subpoena power. If Daly declines to testify, lawmakers can compel his appearance.
For schools using Canvas, the investigation may reveal more about what data was stolen and how Instructure plans to prevent future breaches. For the broader education technology industry, this case could set precedents for how vendors are expected to handle cyberattacks.
Frequently Asked Questions
What data was stolen in the Instructure Canvas breach?
Instructure has not disclosed the full scope, but the breaches exposed personal data belonging to millions of students worldwide. The exact types of data taken are among the questions Congress wants answered.
Did Instructure pay a ransom to the hackers?
Yes. Instructure confirmed it "reached an agreement" with the ShinyHunters hackers. The company claims the attackers provided evidence they deleted the stolen data, though the ransom amount was not disclosed.
Why is Congress investigating the Canvas data breach?
The House Homeland Security Committee has jurisdiction over government activities related to homeland security. CISA's involvement in the incident response brings it under the committee's oversight.
How did hackers breach Instructure twice?
The hackers exploited the same vulnerability both times. First to steal student data, then to deface school login pages. This failure to patch a known flaw is a central focus of the congressional investigation.
Need Help Implementing This?
Source: TechCrunch / Zack Whittaker
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Sony A7R VI Hits 66.8 Megapixels with $4,500 Price Tag
Sony's new flagship high-resolution camera brings a fully stacked sensor, 8K video, and 30fps burst shooting. The A7R VI arrives in June at $4,499.99, a $600 increase over its predecessor, and introduces a new battery system that breaks compatibility with existing Sony Alpha batteries.
Why I Recommend Samsung Phones But Won't Buy One
A longtime tech writer explains the paradox of consistently recommending Samsung devices to others while refusing to own one himself. The reason comes down to One UI's software choices and the appeal of alternatives that prioritize clean Android experiences.
Microsoft Fixes BitLocker Recovery Bug, But Only for Windows 11
The April 2026 Windows security update triggered unexpected BitLocker recovery prompts on enterprise systems. Microsoft has patched the issue for Windows 11 25H2 users, but Windows 10 and Windows Server admins must wait for a future fix while applying workarounds.