Government to Scrutinize Instructure Over Canvas Disruption, Data Breach

The US House Committee on Homeland Security has asked Instructure to provide details on the recent cyberattacks that disrupted its broadly used online learning system Canvas. An initial intrusion on April 29 was blamed for the disruption of tools relying on API keys. The education technology company restored the services by May 3, but took them offline again on May 7, after the hackers returned and defaced school login portals. The attack was claimed by the notorious extortion group ShinyHunters, which allegedly stole 3.65 terabytes of data, including the personal information of 275 million students, teachers, and other individuals at approximately 9,000 education institutions. This week, Instructure revealed that it struck a deal to have the stolen data returned and erased from the hackers’ servers. It also noted that an issue with its Free-For-Teacher accounts was exploited in both intrusions and that the incident has been fully contained. “As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we’re committed to resolving the issues with these accounts,” the company said on Monday. Now, the Committee on Homeland Security is summoning Instructure to a briefing, demanding answers on how the intrusion occurred, what types of data were affected, and how the company resolved the attack.   “The briefing should address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and CISA,” the Committee told Instructure in a letter (PDF) this week. “The Committee takes seriously both the harm to students and educational institutions caused by this incident and the broader implications for how the educational technology sector manages and discloses cybersecurity risks,” the letter reads. According to the Committee, the May 7 disruption impacted universities and school districts across 11 states, and ShinyHunters’ past attacks against Ticketmaster, AT&T, and various educational institutions are evidence of the threat it poses. “With students at more than 8,000 institutions navigating final examinations and end-of-semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern,” the letter reads. Related: 716,000 Impacted by OpenLoop Health Data Breach Related: BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months Related: West Pharmaceutical Services Hit by Disruptive Ransomware Attack Related: SailPoint Discloses GitHub Repository Hack WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Microsoft Patches 137 Vulnerabilities Adobe Patches 52 Vulnerabilities in 10 Products White Circle Raises $11 Million for AI Control Platform West Pharmaceutical Services Hit by Disruptive Ransomware Attack SAP Patches Critical S/4HANA, Commerce Vulnerabilities TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack Skoda Data Breach Hits Online Shop Customers SailPoint Discloses GitHub Repository Hack Latest News Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Webinar Today: ROI for Cyber-Physical Security Programs 716,000 Impacted by OpenLoop Health Data Breach Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises Fortinet, Ivanti Patch Critical Vulnerabilities Chipmaker Patch Tuesday: Intel and AMD Patch 70 Vulnerabilities Hundreds of Malicious Packages Force RubyGems to Suspend Registrations Trending Webinar: ROSI For CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Malwarebytes has named Chung Ip as Chief Financial Officer. Semperis has appointed John Podboy as Chief Information Security Officer. Randy Menon has become Chief Product and Marketing Officer at One Identity. More People On The Move Expert Insights Is The SOC Obsolete, And We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) Flipboard Reddit Whatsapp Email