US Lawmakers Demand Answers from Instructure After Canvas Data Breaches

The Canvas data breach scandal has escalated to the highest levels of U.S. government oversight. House lawmakers are now demanding that Instructure, the company behind the widely used Canvas school portal, provide testimony about its failure to protect sensitive student information. The House Homeland Security Committee is leading the charge, citing two separate cyberattacks that compromised the personal data of millions of students worldwide.

The Scale of the Canvas Data Breach Crisis

In a strongly worded letter to Instructure CEO Steve Daly, Committee Chair Representative Andrew Garbarino made it clear that the situation demands urgent accountability. The committee, which oversees homeland security activities, has called in the Cybersecurity and Infrastructure Security Agency (CISA) to assist with the investigation. Garbarino referenced TechCrunch’s reporting in his letter, emphasizing that hackers exploited the same vulnerability twice to steal massive amounts of student data and deface school login pages.

This Instructure cybersecurity failure is particularly alarming because it affects educational institutions that trust the platform with their most sensitive information. The company’s response has drawn sharp criticism, especially after it admitted that the attackers repeatedly breached its systems through the same security flaw.

Why Lawmakers Are Investigating Instructure

The committee’s primary concern is the company’s incident response capabilities. Garbarino noted that the second breach by the same group—the ShinyHunters hackers—raises “serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds.” The lawmakers want to know exactly what data was stolen, how Instructure plans to notify affected schools, and whether its coordination with CISA was adequate.

As a result, the committee is demanding that Daly testify under oath. They seek to understand why the company failed to contain the threat after the initial intrusion. This is a critical point: if a major educational technology vendor cannot secure its systems, the ripple effects could endanger students across the globe.

The Controversial Ransom Payment

Instructure confirmed this week that it “reached an agreement” with the hackers, who provided evidence that they had deleted the stolen data. However, security experts are deeply skeptical. They argue that paying ransoms only funds future attacks and that hackers often retain data for further extortion attempts. The ShinyHunters representative told TechCrunch they would not continue to extort the company, but declined to disclose the ransom amount.

This decision to pay has sparked a broader debate about education software security. Many schools now question whether Instructure can be trusted to protect their students’ privacy, especially when the company’s response appears reactive rather than proactive.

What This Means for Schools and Students

For schools using Canvas, this student data breach is a wake-up call. The compromised information could include names, addresses, academic records, and even Social Security numbers in some cases. Parents and educators must now consider whether their institution’s data is safe with Instructure.

Furthermore, the House Homeland Security Committee investigation could set a precedent for how educational technology companies are held accountable. If lawmakers find that Instructure violated federal guidelines, it could face significant penalties or new regulatory requirements. Schools should review their own cybersecurity protocols and consider best practices for protecting student data.

What Happens Next?

Instructure has not yet responded to the committee’s request. Spokesperson Brian Watkins declined to comment when reached by TechCrunch. The company faces a critical decision: cooperate with the investigation or risk further damage to its reputation. Daly’s testimony, if it occurs, will likely reveal whether Instructure took the first breach seriously enough to prevent the second.

In addition, the CISA investigation will provide an independent assessment of the company’s security posture. This could lead to new guidelines for all educational technology vendors. For now, schools and parents should monitor the situation closely and demand transparency from Instructure.

Ultimately, the Canvas data breach saga highlights a systemic vulnerability in the education sector. Technology companies that handle sensitive student data must prioritize security over profits. As this investigation unfolds, it may reshape how we think about privacy in the digital classroom. For more insights, read our analysis on ransomware trends in education and how to respond to a data breach.