DarkReading.com reported that “The House Committee on Homeland Security sent a letter about the Canvas cyberattack, the same day that the edtech company said it reached an “agreement” with the ShinyHunters cybercriminals.” The May 14, 2026 article entitled ” Congress Puts Heat on Instructure After Canvas Outage” (https://www.darkreading.com/cyberattacks-data-breaches/congress-instructure-shinyhunters-attacks) included these comments:
Lawmakers are seeking answers from educational technology vendor Instructure, following the high-profile compromise of the company’s Canvas learning management system (LMS) that left thousands of schools and universities without grade reporting and other functions this month.
The House Committee on Homeland Security this week requested Instructure appear before the committee for a briefing on the recent attacks against the edtech company. In a letter to Instructure CEO Steve Daly, the committee questioned why the company was breached twice in the span of a week by the infamous ShinyHunters cybercrime group. Also likely on the docket will be the questions of whether it paid a ransom to the cyberattackers, and whether the incident is related to another attack on its Salesforce environment last fall.
“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” committee chairman Andrew R. Garbarino (R-NY) wrote in the letter, requesting the company meet with members no later than May 21.
Instructure disclosed the initial breach May 1, acknowledging that threat actors had obtained “certain identifying information of users,” including names, emails, student ID numbers, and private messages. ShinyHunters, meanwhile, claimed it possessed more than 3TB of sensitive data from Instructure users representing more than 9,000 educational institutions.
Instructure temporarily took Canvas offline to investigate, and then declared the intrusion “resolved” May 6 and that its LMS was “fully operational.” But the following day, ShinyHunters returned, compromising Canvas and posting a ransom demand on the platform login pages.
The ongoing threat activity has raised questions from lawmakers about Instructure’s response to the initial attack, how the company resolved the matter, and — perhaps most importantly — when it was first breached by ShinyHunters.
What do you think?
First published at https://www.vogelitlaw.com/blog/congress-worried-about-canvas-learning-management-system-cyberattack