U.S. House lawmakers have launched a formal investigation into Instructure, the developer behind the Canvas education platform, following a series of cyberattacks that compromised the sensitive personal data of millions of students globally. The House Homeland Security Committee is now demanding answers regarding the company’s security failures and its controversial response to the incidents.
Congressional Oversight into Security Failures
Representative Andrew Garbarino, chair of the House Homeland Security Committee, addressed a formal letter to Instructure CEO Steve Daly. The committee, which holds jurisdiction over national cybersecurity concerns, is calling for a senior executive to provide a detailed account of how hackers successfully breached company systems on multiple occasions.
The investigation seeks to clarify the specific nature of the stolen data and evaluate the effectiveness of the company’s coordination with the Cybersecurity and Infrastructure Security Agency (CISA), which has been brought in to assist with the breach response.
Controversy Over Ransom Payments
Instructure has faced significant backlash for its handling of the security lapses. The company recently confirmed it reached an agreement with the attackers, claiming they provided proof that the stolen data had been deleted. However, the hackers, linked to the group ShinyHunters, have refused to disclose whether a ransom was paid or the specific amount involved.
Security experts warn that paying ransoms often incentivizes future criminal activity and offers no guarantee that stolen data will be permanently destroyed. The fact that the same vulnerability was exploited twice has drawn sharp criticism from federal lawmakers.
Systemic Vulnerabilities in EdTech
Representative Garbarino highlighted the gravity of the situation, noting that the repeated intrusions raise “serious questions” about Instructure’s incident response protocols and its duty of care toward the institutions and students it serves.
“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine,” Garbarino stated.
While the committee is currently requesting a closed-door briefing, it remains unclear if Instructure executives will comply. As of Wednesday, company representatives have not provided a formal comment on the inquiry.