US lawmakers demand answers from Instructure after Canvas data breaches

U.S. House lawmakers are demanding representatives from Instructure, the twice-hacked education software maker, testify about the company’s response to cyberattacks that allowed hackers to steal the personal data of millions of students worldwide.

The House Homeland Security Committee is investigating the hacks and data breach as it has jurisdiction over government activities relating to homeland security, the committee’s chair, Representative Andrew Garbarino, wrote in a letter to Instructure chief executive Steve Daly. U.S. cybersecurity agency CISA has been called in to help with the incident.

Also read: The Great Instagram "Reset" Scare: Breach Fears vs. Technical Glitch

Also read: UH Cancer Center Research Data Exposed In Ransomware Attack

The committee seeks Daly’s testimony to address how hackers repeatedly broke into Instructure’s systems and to disclose the types of data that were taken, Garbarino said in the letter, which cites TechCrunch’s reporting. The letter also says lawmakers want to know how the company is responding to the attacks and notifying affected schools and seek to examine the adequacy of its coordination with CISA.

Instructure, which makes the popular Canvas school information portal software, has faced criticism for its response to the attacks, especially after it conceded that the hackers abused the same vulnerability to steal reams of sensitive student data and then deface school login pages.

The company confirmed this week that it “reached an agreement” with the hackers and claimed the hackers provided evidence that they had deleted the stolen data. A representative for the ShinyHunters hackers told TechCrunch that they would not continue to extort the company or its customers, but declined to say how much the company had paid as ransom.

Security experts have long argued that paying hackers only goes on to fund future attacks. Hackers have been known to retain stolen data even after they claim to have deleted it, often in hopes of extorting victims again.

Garbarino said the second breach by the same hackers raises “serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds.”

“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine,” Garbarino wrote in the letter.

Instructure has not yet said if it will respond to the letter, or if Daly — or whoever is responsible for cybersecurity at the company — would testify.

Instructure spokesperson Brian Watkins did not respond to TechCrunch’s request for comment on Wednesday.