The US House of Representatives is seeking testimony from representatives of Instructure, the twice-hacked company that owns the education platform Canvas. Lawmakers are seeking answers to explain the company’s delayed response to a cyber attack that enabled bad actors to extract the personal information of millions of students and teachers across the country.
Instructure revealed this week that it has reached an agreement with hacker group ShinyHunters, in which the hackers will destroy copies of user data and agree not to hack users. ShinyHunters first breached the platform in April and again last week, and said they targeted thousands of universities and school districts.
The House Homeland Security Committee said it is investigating the hack along with the Cybersecurity and Infrastructure Security Agency. CISA has been working with Instructure as one of the “external intelligence experts” the company refers to in the incident FAQ, helping to “contain activity, investigate and implement additional safeguards.”
Now the chairman of the House committee, Rep. Andrew Garbarino, examines whether Instructure’s collaboration with CISA was sufficient in this situation. In a letter sent to Instructure CEO Steve Daly, Garbarino, a New York Republican, wants to know how the company was hacked more than once. The House committee also wants more information about the types of sensitive information stolen during the hack.
Instructure said the personal data stolen during the Canvas hack included “information such as usernames, email addresses, course names, registration information and messages.”
The agreement with ShinyHunters called for the hackers to delete the data. Instructure said “there is no absolute certainty when dealing with hackers,” but that it has received digital confirmation, in the form of activated logs, that the stolen data has been removed.
The warning cautioned affected Canvas users against individual attempts to contact or negotiate with the ShinyHunters group, saying its agreement “covers all affected Instructure customers.”
A group of hackers first broke into Canvas systems on April 29, exploiting a security flaw linked to Free Teaching accounts. This allowed ShinyHunters to release personal information tied to students and teachers.
While we don’t know exactly how many institutions were affected, hackers say they targeted more than 9,000 universities and public school districts. Canvas is used in K-12 schools, so it’s possible that the breach exposed sensitive information of young students.
The situation escalated when hackers breached Instructure’s security for a second time on May 7, leaving a message revealing their illegal activity to anyone trying to log into Canvas. Instructure quickly moved Canvas into maintenance mode, where students could not access the service.
If ShinyHunters’ name sounds familiar, it’s because they are a well-established group of ransomware hackers. The ShinyHunters are the same group that broke Anodot and escaped with the others Rockstar Games corporate data in April.
Its previous targets have mainly included large technology companies such as Microsoft, Cisco and AT&T, but hackers have also recovered information from insurance companies, credit unions and other institutions that handle sensitive data.
Canvas is currently active, although Free-For-Teacher accounts have been temporarily disabled as Instructure continues to investigate the exploit used to breach its systems.
Instructure asked customers to continue monitoring their accounts, even though an external intelligence partner “found no evidence that a threat actor had access to the platform.”
Instructure is organizing a webinar for its customers to “detail cyberattacks and [Instructure’s] operations to harden the system.” It is currently unclear when these will take place, despite the company’s incident update page showing it is scheduled for May 13.
When reached for comment, an Instructure representative pointed CNET to the company’s official page for the incident.
A similar data breach occurred at PowerSchool in 2024. Despite paying the ransom, customers were still being scammed for more money.
Is stolen data really corrupt? There is no way to verify
Instructure reached a deal with the ShinyHunters hackers, defying the conventional wisdom of industry experts and the FBI’s cybercrime division. Once the information is out there, paying the ransom doesn’t guarantee it will ever stop circulating among bad actors.
Worse, Instructure’s ransom payment may encourage ShinyHunters or other ransomware gangs to target more victims.
“It’s a very troubling example to see such a high-profile incident lead to a payout, especially when the victim’s company admits in this way,” said Troy Hunt, founder and CEO of Have I Been Pwned, a website that keeps track of password information exposed in data breaches. “Unfortunately, it is now a clear example of how crime pays, and it sets the pattern for future criminals and victims alike.”
Hunt speculated that the decision may have been influenced by the scale and magnitude of the incident. This was a highly publicized data breach, and Instructure is under pressure from schools and parents, especially as they handle sensitive information relating to young children.
Watch this: What to do if your personal information is part of a data breach
But at the end of the day, there’s no way to guarantee that stolen data has been destroyed — absolute certainty doesn’t exist with ransomware cybercrimes.
“There may always be another copy,” Hunt said. “The instruction message about ‘broken logs’ does not provide any evidence that all copies of the data have been removed.”
Hunt pointed to a similar ransomware attack on education company PowerSchool in December 2024. Although the company paid a fortune to obtain a video of alleged hackers deleting stolen data, copies of the sensitive information were later used to extort more money from teachers.
We can’t be sure that ShinyHunters will use stolen Instructure customer data in the same way, but there’s no guarantee that they don’t already have the sensitive data of millions of US students.
If you’ve been affected by the recent Canvas hack, it might be time to take action you can take to protect yourself from cyber criminals who may have your personal information.
