Congress Demands Answers: Instructure Executives Called to Testify on Canvas Breaches

Background of the Canvas Cyberattacks

The U.S. House Committee on Homeland Security has escalated its oversight of Instructure, the company behind the widely used Canvas learning management system, following two major cyberattacks. The attacks, attributed to the notorious ShinyHunters extortion group, resulted in the theft of student personal data and caused significant disruption to academic institutions during the critical period of final exams. The committee has formally requested testimony from Instructure executives to explain the security lapses and the company's response to the breaches.

The Two Attacks: What Happened

First Incident: Data Exfiltration

In the initial breach, ShinyHunters exploited vulnerabilities in Canvas's third-party integrations to access back-end databases. The attackers exfiltrated student records including names, email addresses, and academic progress data. This incident went undetected for several weeks before a routine security audit revealed unauthorized access logs.

Second Incident: Ransomware and Disruption

The second attack was more aggressive. Using stolen credentials from the first breach, the group deployed ransomware that locked out thousands of schools from their Canvas environments. The timing—right before final exams—caused widespread chaos as teachers scrambled to administer tests via alternative methods and students faced delayed grades. ShinyHunters demanded a ransom in cryptocurrency, threatening to publish stolen data if not paid. Learn about the committee's response below.

Homeland Security Committee's Involvement

The House Homeland Security Committee, led by Chairman Mark Green, sent a formal letter to Instructure's CEO demanding that key executives appear at a hearing. The letter cited “grave concerns about national cybersecurity resilience and the protection of educational infrastructure.” The committee specifically requested:

• A timeline of when Instructure first detected each breach
• Details on the security measures in place at the time of the attacks
• Steps taken to mitigate damage and prevent future incidents
• Communication protocols with affected school districts and student privacy regulators

Observers note that this marks the first time a congressional committee has directly targeted an educational technology provider over a cybersecurity incident, signaling a shift in focus from traditional corporate targets to the edtech sector.

Who Are the ShinyHunters?

ShinyHunters is a cyber extortion group known for targeting major companies and government entities. They gained notoriety after breaching Microsoft's GitHub repository and later attacking multiple e-commerce platforms. Their modus operandi typically involves:

1. Scanning for unpatched vulnerabilities or weak passwords
2. Exfiltrating massive datasets (often in the terabyte range)
3. Demanding ransom in exchange for not leaking the data
4. Leaking data if demands are not met, as seen in previous attacks on Pixlr and Tokopedia

The group's shift to targeting educational platforms like Canvas indicates a broader strategy to exploit the high sensitivity of student data and the pressure schools face to resume normal operations quickly.

Impact on Schools and Students

Disruption to Academic Calendar

Hundreds of K-12 school districts and universities across the United States reported that Canvas was unavailable for days. Many institutions had to:

• Postpone or cancel final exams
• Issue emergency test formats via email or paper
• Extend submission deadlines for assignments
• Provide mental health resources for students stressed by the uncertainty

Student Data at Risk

The stolen data includes personally identifiable information (PII) such as birth dates, home addresses, and even special education documentation. Cybersecurity experts warn that such data can be used for identity theft, phishing attacks against students, and even academic fraud—where attackers impersonate students to alter grades or enroll in courses. Read more about ShinyHunters' methods.

Implications for the Edtech Industry

This incident has sent shockwaves through the educational technology space. Analysts predict that:

• Increased regulatory scrutiny is inevitable—similar to how healthcare faced HIPAA enforcement after breaches
• School districts will demand stronger contractual security guarantees from vendors
• Cybersecurity insurance premiums for edtech companies may rise sharply
• A potential wave of class-action lawsuits from affected students and parents

Instructure, which serves over 40 million users globally, now faces a reputation crisis. The company has since announced a comprehensive security overhaul, including mandatory multi-factor authentication for all admin accounts and penetration testing partnerships with independent firms.

What's Next: Testimony and Possible Legislation

The requested testimony is expected to take place within the next 60 days. The committee may use the information to draft new legislation requiring baseline cybersecurity standards for any edtech company that receives federal funding. Meanwhile, the FBI's Cyber Division has opened an investigation into the ShinyHunters group.

For now, schools are advised to:

• Change all Canvas-related passwords immediately
• Enable multi-factor authentication
• Monitor student data for signs of misuse
• Back up critical data offline

As one committee aide stated: “Our education system cannot be held hostage by cybercriminals. We need answers and we need accountability.”

Back to top