US lawmakers demand answers from Instructure after Canvas data breach

Lawmakers in the US House of Representatives are asking representatives of Instructure, the education software maker that was hacked twice, to testify about the company’s response to cyberattacks that allowed hackers to steal the personal data of millions of students around the world.

The House Homeland Security Committee is investigating hacks and data breaches, as it has jurisdiction over government activities related to homeland security, the committee’s chairman, Rep. Andrew Garbarino, wrote in a letter to Instructure CEO Steve Daley. The US cybersecurity agency CISA was called in to assist in the incident.

The committee is seeking Daly’s testimony to address how hackers repeatedly compromised Instructure’s systems and revealed what types of data were taken, Garbarino said in the letter, which cites TechCrunch reporting. The letter also says lawmakers want to know how the company responded to attacks and notified affected schools and are seeking to examine the adequacy of its coordination with CISA.

Instructure, which makes popular school information portal software Canvas, has faced criticism for its response to the attacks, especially after it admitted that hackers abused the same vulnerability to steal troves of sensitive student data and then deface school login pages.

The company confirmed this week that it had “reached an agreement” with the hackers and claimed that the hackers had provided evidence that they had deleted the stolen data. A representative for the ShinyHunters hackers told TechCrunch that they would not continue to extort the company or its customers, but declined to specify how much the company paid in ransom.

Security experts have long argued that paying hackers only goes to fund future attacks. Hackers are known to keep stolen data even after they claim to delete it, in the hope of extorting victims again.

The second breach by the same hackers raises “serious questions about the company’s incident response capabilities and its obligations to the organizations and individuals whose data it holds,” Garbarino said.

“The scale and timing of the Instructure breach, and the apparent inability of a major educational technology vendor to contain the threat actor after the initial intrusion, are precisely the type of systemic vulnerabilities this committee has a responsibility to examine,” Garbarino wrote in the letter.

Instructure has not yet said whether it will respond to the letter, or whether Daly — or anyone responsible for cybersecurity at the company — will testify.

Instructure spokesman Brian Watkins did not respond to TechCrunch’s request for comment on Wednesday.