Skip to content
Tech News
← Back to articles

Canvas Hack Aftermath: Congress Wants Instructure to Answer Questions

2026-05-13 | original
read original get Instructure Canvas Course Access → more articles
Why This Matters

The congressional scrutiny of Instructure's handling of the Canvas data breaches highlights the critical need for robust cybersecurity measures in educational technology platforms. This incident underscores the importance of timely responses and transparency to protect sensitive student and teacher information, which is vital for maintaining trust and security in digital education tools.

Key Takeaways

The US House of Representatives is demanding testimony from representatives of Instructure, the twice-hacked company that owns the education platform Canvas. Lawmakers are seeking answers to explain the company's delayed response to cyberattacks that enabled bad actors to scrape the personal information of millions of students and teachers nationwide.

Instructure revealed this week that it had reached a deal with the hacker group ShinyHunters, under which the hackers would destroy copies of user data and agree not to extort users. ShinyHunters had hacked the platform first in April and again last week, and claimed to have targeted thousands of universities and school districts.

The House Homeland Security Committee said it is investigating the hack alongside the Cybersecurity and Infrastructure Security Agency. CISA has been working with Instructure as one of the "outside forensics experts" the company refers to in its incident FAQs, helping to "contain the activity, investigate and apply additional safeguards."

Now the House committee's chair, Rep. Andrew Garbarino, is examining whether Instructure's coordination with CISA was adequate in this situation. In a letter sent to Instructure CEO Steve Daly, Garbarino, a New York Republican, demanded to know how the company was hacked more than once. The House committee also wants more specific information about the types of sensitive information stolen during the hack.

Instructure said the personal data stolen during the Canvas hack included "information like usernames, email addresses, course names, enrollment information and messages."

The agreement with ShinyHunters called for the hackers to delete the data. Instructure said "there is never complete certainty when dealing with cybercriminals," but that it received digital confirmation, in the form of shred logs, that the stolen data had been deleted.

Instructure cautioned affected Canvas users against individual attempts to contact or bargain with the ShinyHunters group, saying its agreement "covers all impacted Instructure customers."

The hacker group first infiltrated Canvas systems on April 29, using a security flaw tied to Free-For-Teacher accounts. This allowed ShinyHunters to scrape personal information tied to students and educators.

While we don't know exactly how many institutions were affected, the hackers claimed they had targeted more than 9,000 universities and public school districts. Canvas is used in K-12 schools, so it's likely that the breach exposed sensitive information of underage students.

The situation escalated when the hackers cracked Instructure's security for a second time on May 7, leaving a message exposing their illicit activity to anyone attempting to sign in to Canvas. Instructure promptly moved Canvas into maintenance mode, during which students were unable to access the service.

... continue reading

Explore topics: instructure canvas shinyhunters cybersecurity house homeland security
Related:
Dark Reading Celebrates 20 Years as a Leading Authority on Cybersecurity, Highlighting the People, Events, Ideas, and Technologies Shaping the Modern Risk Landscape
US lawmakers demand answers from Instructure after Canvas data breaches
Instructure Pays Canvas Hackers To Delete Students' Stolen Data
Canvas Hack Aftermath: Owner Instructure Reaches Deal With Hacker Group
US govt seeks Instructure testimony on massive Canvas cyberattack

© 2026 GoKawiil

About | Editorial Policy | Contact