House Homeland Security Committee Chairman Andrew Garbarino, R-N. Y., is seeking a briefing from Instructure Holdings, Inc., after two cyberattacks this month against the company’s Canvas platform disrupted schools and universities nationwide – and just as Instructure reported reaching a deal with hackers to protect stolen data.
In a letter to Instructure CEO Steve Daly made public on May 11, Rep. Garbarino recounted that the cybercriminal group ShinyHunters breached Instructure systems twice within one week – first on May 1 and again on May 7 – during final exam periods and end-of-semester deadlines for many school systems.
Canvas is used by more than 8,000 institutions and serves more than 30 million active users globally.
“Within the span of one week, the cybercriminal group known as ShinyHunters breached Instructure twice,” Garbarino wrote.
He called the disruptions caused by the hacks a “matter of national concern.”
According to the committee chairman, the first attack reportedly exposed personal information belonging to students and faculty across thousands of institutions. In the second incident, the hackers defaced Canvas login pages nationwide and posted ransom demands directly on users’ screens, according to the letter.
ShinyHunters has claimed the breach involves data associated with hundreds of millions of users across nearly 9,000 institutions, although the full extent of the compromise remains under investigation, the congressman said.
Public reports indicated the group gave Instructure and affected institutions until May 12 to engage before threatening to release stolen information, he said.
Garbarino asserted that the repeated intrusions demonstrate shortcomings in the company’s response to the initial breach.
“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” he wrote.
The chairman also emphasized that ShinyHunters is a seasoned threat actor with a history of large-scale theft and extortion campaigns. He noted that the group has claimed responsibility for previous attacks on companies, including Ticketmaster and AT&T, as well as recent incidents involving Infinite Campus and McGraw Hill.
Garbarino said the Homeland Security Committee wants Instructure to brief lawmakers on the nature of the breach, the extent of any compromised information, the company’s incident response efforts, and the steps it is taking to reduce ongoing and future cyber risks.
“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine,” Garbarino wrote.
Garbarino requested that Instructure provide the requested information and brief the committee by May 12 – the same deadline ShinyHunters reportedly set for ransom negotiations with the company and affected educational institutions.
For its part, Instructure has been issuing frequent public updates on the hacks and reported “all systems operational” as of May 12.
At the same time, however, Instructure disclosed that it “reached an agreement with the unauthorized actor involved in this incident” to reclaim data stolen in the hacks.
Under the agreement, the company said, “the data was returned to us,” and “we received digital confirmation of data destruction (shred logs).”
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company said.
“This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor,” it said.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company explained.
“We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved,” Instructure pledged.
The company also said it is organizing a webinar – tentatively set for May 13 – with Instructure leadership “to detail information about the cyber attack and our activities to harden the system.”
“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers,” Instructure said, adding, “We understand how unsettling situations like this can be, and protecting our community remains our top priority.”