US Lawmakers Demand Answers from Instructure After Canvas Data Breaches

The Canvas data breach scandal has escalated to the highest levels of U.S. government oversight. House lawmakers are now demanding that Instructure, the company behind the widely used Canvas school portal, provide testimony about its failure to protect sensitive student information. The House Homeland Security Committee is leading the charge, citing two separate cyberattacks that compromised the personal data of millions of students worldwide.

The Scale of the Canvas Data Breach Crisis

In a strongly worded letter to Instructure CEO Steve Daly, Committee Chair Representative Andrew Garbarino made it clear that the situation demands urgent accountability. The committee, which oversees homeland security activities, has called in the Cybersecurity and Infrastructure Security Agency (CISA) to assist with the investigation. Garbarino referenced TechCrunch’s reporting in his letter, emphasizing that hackers exploited the same vulnerability twice to steal massive amounts of student data and deface school login pages.

This Instructure cybersecurity failure is particularly alarming because it affects educational institutions that trust the platform with their most sensitive information. The company’s response has drawn sharp criticism, especially after it admitted that the attackers repeatedly breached its systems through the same security flaw.

Why Lawmakers Are Investigating Instructure

The committee’s primary concern is the company’s incident response capabilities. Garbarino noted that the second breach by the same group—the ShinyHunters hackers—raises “serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds.” The lawmakers want to know exactly what data was stolen, how Instructure plans to notify affected schools, and whether its coordination with CISA was adequate.

As a result, the committee is demanding that Daly testify under oath. They seek to understand why the company failed to contain the threat after the initial intrusion. This is a critical point: if a major educational technology vendor cannot secure its systems, the ripple effects could endanger students across the globe.

The Controversial Ransom Payment

Instructure confirmed this week that it “reached an agreement” with the hackers, who provided evidence that they had deleted the stolen data. However, security experts are deeply skeptical. They argue that paying ransoms only funds future attacks and that hackers often retain data for further extortion attempts. The ShinyHunters representative told TechCrunch they would not continue to extort the company, but declined to disclose the ransom amount.

This decision to pay has sparked a broader debate about education software security. Many schools now question whether Instructure can be trusted to protect their students’ privacy, especially when the company’s response appears reactive rather than proactive.

What This Means for Schools and Students

For schools using Canvas, this student data breach is a wake-up call. The compromised information could include names, addresses, academic records, and even Social Security numbers in some cases. Parents and educators must now consider whether their institution’s data is safe with Instructure.

Furthermore, the House Homeland Security Committee investigation could set a precedent for how educational technology companies are held accountable. If lawmakers find that Instructure violated federal guidelines, it could face significant penalties or new regulatory requirements. Schools should review their own cybersecurity protocols and consider best practices for protecting student data.

What Happens Next?

Instructure has not yet responded to the committee’s request. Spokesperson Brian Watkins declined to comment when reached by TechCrunch. The company faces a critical decision: cooperate with the investigation or risk further damage to its reputation. Daly’s testimony, if it occurs, will likely reveal whether Instructure took the first breach seriously enough to prevent the second.

In addition, the CISA investigation will provide an independent assessment of the company’s security posture. This could lead to new guidelines for all educational technology vendors. For now, schools and parents should monitor the situation closely and demand transparency from Instructure.

Ultimately, the Canvas data breach saga highlights a systemic vulnerability in the education sector. Technology companies that handle sensitive student data must prioritize security over profits. As this investigation unfolds, it may reshape how we think about privacy in the digital classroom. For more insights, read our analysis on ransomware trends in education and how to respond to a data breach.

Ransomware Hackers Claim Breach at Foxconn, Major Apple and Google Supplier

The electronics manufacturing giant Foxconn, a key supplier for Apple, Google, and Nvidia, has confirmed it was hit by a Foxconn ransomware attack. The company acknowledged the cyberattack on Monday, stating that some of its facilities in North America may have been affected.

In a brief statement to the press, Foxconn said that the affected factories are now returning to normal production. However, the company did not provide further details about the scope of the breach or the data potentially compromised.

The Nitrogen Ransomware Gang Takes Credit

A ransomware group known as Nitrogen has claimed responsibility for the attack. On its dark web leak site, the group posted a statement alleging that it breached Foxconn’s systems. Nitrogen is a double-extortion ransomware operation, meaning it not only encrypts files but also steals sensitive data before demanding payment.

According to the hackers, they exfiltrated over 11 million files. These allegedly include confidential information from Foxconn’s customers, such as Apple, Dell, Google, Intel, and Nvidia. As proof of the breach, Nitrogen published screenshots of what appear to be product schematics, internal guidelines, and bank statements.

Nitrogen’s typical modus operandi involves threatening to leak the stolen data if the victim does not pay the ransom. This gives the group two ways to monetize the crime: either through the ransom payment itself or by selling the stolen data on underground markets.

Foxconn’s Response and Industry Impact

Foxconn has not yet responded to specific questions about the attack, including the exact number of affected factories or the validity of the hackers’ claims. The company’s initial statement did not mention any ransom demand or negotiations with the attackers.

This Foxconn ransomware attack highlights the vulnerability of major supply chains. Foxconn manufactures devices and components for some of the world’s largest tech companies. A breach at this level could have cascading effects on product development and delivery timelines.

What Is Double Extortion Ransomware?

Double extortion ransomware, as used by Nitrogen, has become increasingly common. The attackers first infiltrate a network, steal sensitive files, and then deploy ransomware to encrypt the systems. Victims face a dual threat: losing access to their data and having it publicly exposed.

This approach puts immense pressure on organizations to pay, even if they have backups. The risk of leaked intellectual property or customer data can be devastating for a company’s reputation and legal standing.

Lessons for Cybersecurity in Manufacturing

The incident serves as a stark reminder for the manufacturing sector. Cybercriminals often target large suppliers because they hold valuable data from multiple high-profile clients. Companies like Foxconn must invest in robust network segmentation, regular security audits, and employee training to detect phishing attempts early.

Furthermore, organizations should have a clear incident response plan. Quick containment and communication can mitigate damage. For more insights on protecting supply chains, check our guide on supply chain cybersecurity best practices.

As the investigation unfolds, the tech industry will be watching closely. The full extent of the Foxconn ransomware attack may not be known for weeks, but the implications for data security in global manufacturing are already clear.

UK Biobank Breach: Health Records of 500,000 Volunteers Listed for Sale on Chinese Platforms

A significant UK Biobank breach has exposed the health data of over half a million volunteers, with records appearing for sale on e-commerce platforms in China. The incident, confirmed by Minister for Digital Government and Data Ian Murray in a House of Commons statement, has raised serious concerns about data security in scientific research. Murray revealed that three listings advertising UK Biobank participant data were identified on Alibaba platforms, with at least one dataset appearing to contain information from all 500,000 volunteers.

What Data Was Exposed in the UK Biobank Breach?

The UK Biobank collects vast amounts of sensitive medical data to support scientific research, including whole-body scans, DNA sequences, and other health records. However, officials stress that the UK Biobank breach did not include personally identifying information such as names, addresses, phone numbers, or NHS numbers. Professor Sir Rory Collins, chief executive of UK Biobank, reassured participants that all data was de-identified and contained no direct personal identifiers. The listings have since been removed, and authorities believe no one purchased the leaked data.

How Did the Data Leak Occur?

The breach was traced to researchers at three academic institutions who misused their access privileges. Collins described their actions as a “clear breach” of contractual agreements. Both the researchers and their institutions have had access to the project suspended. This incident highlights the ongoing challenges in protecting health data breach incidents within large-scale research projects.

Immediate Actions and Security Enhancements

In response to the UK Biobank breach, the organization has temporarily suspended all access to its research platform. New strict limits on file downloads are being implemented to prevent future incidents. UK Biobank is also conducting a comprehensive, board-led investigation. Collins stated that additional steps are being taken to enhance systems and ensure the safe and secure use of participant data. The organization expressed gratitude for support from the UK government, Chinese authorities, and Alibaba for their rapid cooperation in removing the listings.

Lessons for Research Data Security

This Biobank data leak serves as a stark reminder of the vulnerabilities in research data management. While de-identification reduces risk, it is not foolproof. Researchers must adhere to strict protocols, and institutions need robust monitoring systems. For more on protecting sensitive data, check out our guide on data security best practices for research organizations. Additionally, learn about securing cloud-based research platforms to prevent similar incidents.

Building on this, the incident underscores the importance of international cooperation in cybersecurity. The rapid removal of listings by Alibaba and Chinese authorities demonstrates effective cross-border collaboration. However, as the UK Biobank breach shows, proactive measures are essential to prevent data from reaching black markets in the first place.

What Participants Should Know

UK Biobank participants can take comfort that their identities remain protected, as no personal details were compromised. The organization is committed to transparency and has published updates on its website. For those concerned about data privacy, it is worth reviewing your rights regarding research data. The UK Biobank breach, while alarming, has prompted immediate and decisive action to strengthen security protocols.

In conclusion, the UK Biobank breach highlights the delicate balance between advancing scientific research and safeguarding participant data. As investigations continue, the focus remains on preventing future incidents and maintaining public trust in vital research initiatives.