US lawmakers press Instructure for answers on Canvas data breaches
▼ Summary
– The House Homeland Security Committee is demanding testimony from Instructure’s CEO about hacks that stole personal data of millions of students.
– Lawmakers want to know how hackers repeatedly breached Instructure’s systems, what data was taken, and how the company is responding.
– Instructure confirmed it paid a ransom to hackers, who claimed to have deleted stolen data, though security experts warn this may fund future attacks.
– The same hackers exploited a vulnerability twice, first to steal data and later to deface school login pages, raising questions about the company’s incident response.
– Instructure has not yet agreed to provide testimony or indicated if its CEO will appear before the committee.
Lawmakers on the U.S. House Homeland Security Committee are pressing Instructure, the company behind the widely used Canvas education software, for answers following a pair of data breaches that exposed sensitive personal information belonging to millions of students around the globe.
Committee Chair Representative Andrew Garbarino has formally requested that Instructure CEO Steve Daly testify about the company’s handling of the cyberattacks. The House Homeland Security Committee has jurisdiction over matters tied to national security, and the U. S. Cybersecurity and Infrastructure Security Agency (CISA) has already been brought in to assist with the incident. In a letter citing TechCrunch’s reporting, Garbarino insists that Daly must explain how hackers were able to breach Instructure’s systems on multiple occasions, disclose precisely what types of student data were stolen, and outline the company’s ongoing response, including how it is notifying affected educational institutions.
The company’s response has drawn sharp criticism, particularly after Instructure acknowledged that the same security vulnerability was exploited twice,first to steal vast amounts of sensitive student data, and later to deface school login portals. This week, Instructure confirmed it had “reached an agreement” with the hackers, who claimed to have deleted the stolen information. A representative for the ShinyHunters hacking group told TechCrunch they would not continue extorting Instructure or its customers, but declined to reveal the ransom amount paid.
Security experts consistently warn that paying ransom demands often funds future criminal activity, and hackers are known to retain stolen data even after promising deletion, leaving victims vulnerable to repeat extortion. Garbarino stated that the second breach by the same group “raises serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds.” He further noted that “the scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”
Instructure has not yet indicated whether it will comply with the request for testimony. Company spokesperson Brian Watkins did not respond to TechCrunch’s request for comment on Wednesday.
(Source: TechCrunch)
