Congress Puts Heat on Instructure After Canvas Outage

CYBERATTACKS & DATA BREACHES IDENTITY & ACCESS MANAGEMENT SECURITY CYBER RISK VULNERABILITIES & THREATS NEWS Congress Puts Heat on Instructure After Canvas Outage The House Committee on Homeland Security sent a letter about the Canvas cyberattack, the same day that the edtech company said it reached an "agreement" with the ShinyHunters cybercriminals. Rob Wright,Senior News Director,Dark Reading May 14, 2026 6 Min Read SOURCE: PICTOKRAFT VIA ALAMY STOCK PHOTO Lawmakers are seeking answers from educational technology vendor Instructure, following the high-profile compromise of the company's Canvas learning management system (LMS) that left thousands of schools and universities without grade reporting and other functions this month.  The House Committee on Homeland Security this week requested Instructure appear before the committee for a briefing on the recent attacks against the edtech company. In a letter to Instructure CEO Steve Daly, the committee questioned why the company was breached twice in the span of a week by the infamous ShinyHunters cybercrime group. Also likely on the docket will be the questions of whether it paid a ransom to the cyberattackers, and whether the incident is related to another attack on its Salesforce environment last fall. "The recurrence of an intrusion within days of an initial breach disclosure, and Instructure's apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds," committee chairman Andrew R. Garbarino (R-NY) wrote in the letter, requesting the company meet with members no later than May 21. Related:Cyber Pioneers Ponder Past as Prologue Instructure disclosed the initial breach May 1, acknowledging that threat actors had obtained "certain identifying information of users," including names, emails, student ID numbers, and private messages. ShinyHunters, meanwhile, claimed it possessed more than 3TB of sensitive data from Instructure users representing more than 9,000 educational institutions. Instructure temporarily took Canvas offline to investigate, and then declared the intrusion "resolved" May 6 and that its LMS was "fully operational." But the following day, ShinyHunters returned, compromising Canvas and posting a ransom demand on the platform login pages. The ongoing threat activity has raised questions from lawmakers about Instructure's response to the initial attack, how the company resolved the matter, and —  perhaps most importantly — when it was first breached by ShinyHunters. Did Instructure Pay the ShinyHunters Ransom? In a similar letter to Instructure on Tuesday, the US Senate Committee on Health, Education, Labor, and Pensions said it was investigating the attacks and posed a litany of questions to Daly, including the types of data affected by the breach and the security improvements it has made in the aftermath. The committee's letter pressed the edtech company about its May 11 statement in which Instructure said it "reached an agreement" with the threat actor behind the attacks.  Related:'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine "We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise," Instructure said in the update, adding that the stolen data was "returned" and attackers provided digital confirmation of its destruction. "This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor." While the company did not admit to paying a ransom, that's the most likely scenario, as ShinyHunters removed Instructure's listing from its data leak site — a move ransomware and data extortion groups typically reserve for victim organizations that pay up. ShinyHunters also issued a statement May 13, saying the group had nothing more to add to the "recent situation at the LMS company" and there was no need for impacted organizations to contact ShinyHunters directly anymore.  The Senate committee's letter also raised questions about "a previous cybersecurity incident in September 2025," and what remedial steps were taken following that attack. The incident in question resulted from a compromise of the company's Salesforce instance, which was disclosed Sept. 21, 2025. Scattered Lapsus$ Hunters, a cybercriminal collective apparently composed of members of Scattered Spider, Lapsus$, and ShinyHunters, listed Instructure on their leak site at the time, as part of a spate of Salesforce incursions last fall that also included companies like Chanel and Qantas Airways. But the culprit behind the attack, as well as many or the other Salesforce breaches, was UNC6040, a threat actor tied to ShinyHunters, according to Google Threat Intelligence Group researchers.  Related:Foxconn Attack Highlights Manufacturing's Cyber Crisis Regardless, it all raises the question of whether data from the Salesforce attack was used to carry out this month's offensive; the answer is unclear, but researchers are emphasizing that the company was clearly earmarked as a repeat target, which in and of itself is concerning. Instructure Fails to Keep Attackers at Bay After Salesforce Following the Salesforce breach in September 2025, which Instructure said stemmed from a social engineering attack, the edtech company said it "moved quickly to contain the activity" and conducted a thorough investigation with third-party experts. "Subsequently, we have implemented additional security measures to help prevent similar incidents in the future," the company said in the disclosure. Dark Reading contacted Instructure for comment on whether Salesforce breach was connected to the recent attacks, but the company did not respond at press time.  In a blog post this week, Abbas Kudrati, chief identity security advisor at Silverfort, wrote that ShinyHunters' recent activity was "categorically different" compared to the September attack, which was limited to the Salesforce instance. However, "This shows that ShinyHunters views Instructure as a high-value target worth revisiting — and any institution relying on Canvas should assume the same targeting could happen again," Kudrati wrote. Roy Akerman, vice president of identity security strategy at Silverfort, tells Dark Reading that it's typical for threat actors like ShinyHunters to collect as much data as possible from a compromise and use it to their full advantage for a follow-up attack. But the bigger question for Instructure, he says, is what the company did once it detected malicious activity inside its environment. "The story to me is that attackers are persistent, and it doesn't really matter if they found one piece [of data] that was re-used or not," Akerman says. "Maybe for the legislators, it will matter because it will show negligence or something like that. But I believe at the end of the day, if you're under attack then you need to get yourself into a different mode, and you need to assume that one day they'll place a foothold in your organization. And what's your play then?" Presumably, Instructure will appear before lawmakers in the near future, although it's unclear if the briefings will be public. In the meantime, Silverfort urged customers to monitor their environments in real time for anomalous authentication behavior and other signs of lateral movement. "The window between initial compromise and significant damage is often hours," Kudrati said. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems More Webinars Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS