U.S. House lawmakers are requiring Instructure, maker of Canvas education software, to testify on cyberattacks that exposed personal data of millions of students globally.
Homeland Security Committee Steps In
The House Homeland Security Committee, chaired by Representative Andrew Garbarino, is leading the investigation. Garbarino's letter to Instructure CEO Steve Daly emphasized the committee's jurisdiction over homeland security-related government activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been enlisted to support the investigation.
Garbarino's letter, citing TechCrunch's reporting, demands Daly's testimony to explain the repeated breaches of Instructure’s systems, reveal the types of data stolen, and detail the company's response and notification process to affected schools. The letter also questions the adequacy of Instructure's collaboration with CISA.
Instructure's Response Under Fire
Instructure, known for its Canvas school portal software, has faced criticism for its handling of the breaches. The company admitted that attackers exploited the same vulnerability twice to access sensitive student data and subsequently defaced school login pages.
This week, Instructure confirmed reaching an agreement with the hackers, claiming they provided proof of data deletion. A ShinyHunters hacker representative informed TechCrunch that they would cease extortion but did not disclose the ransom amount paid.
Security Concerns and Future Implications
Security experts warn that paying ransoms perpetuates future attacks and raises the risk of hackers retaining stolen data for further extortion attempts. Garbarino noted that the second breach by the same hackers raises serious concerns about Instructure's incident response and obligations to data holders.
“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine,” Garbarino's letter stated.
Awaiting Instructure's Response
As of now, Instructure has not indicated whether Daly or another cybersecurity officer will testify. Instructure spokesperson Brian Watkins did not respond to TechCrunch’s request for comment.
The situation continues to develop as lawmakers push for accountability and improved cybersecurity measures.
Source: https://techcrunch.com/2026/05/13/us-lawmakers-demand-answers-from-instructure-after-canvas-data-breaches/
