US Government Seeks Instructure Testimony on Canvas Cyberattack
The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company’s Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams.
In a letter sent to Instructure CEO Steve Daly, Homeland Security Committee Chairman Andrew R. Garbarino said the committee is investigating the massive breach at Instructure that impacts millions of students. The committee is concerned about the company's incident response capabilities and its obligations to properly protect the data it stores.
Background on the Breach
Instructure disclosed on May 3 that it had suffered a breach, which was later confirmed to have occurred on April 29. The company said the exposed information included names, email addresses, student identification numbers, and messages exchanged between students and teachers on the platform. However, the data did not include passwords, financial information, or government identifiers.
The ShinyHunters extortion gang claimed responsibility for the attack, stating that they stole 280 million data records from 8,809 colleges, school districts, and online education platforms. The threat actor shared a list of impacted education organizations, with stolen record counts ranging from tens of thousands to several million for each institution.
Second Attack and Disruption
The ShinyHunters group conducted a second attack that defaced Canvas login portals at schools and universities across the United States, displaying extortion messages demanding that Instructure negotiate with the group. The disruption affected institutions across multiple states during final exams and end-of-semester activities, with some colleges forced to cancel exams.
According to the Homeland Security Committee letter, schools in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin reported disruptions tied to the incident. The committee also referred to messages posted by the attackers claiming they targeted Instructure again because the company refused to negotiate with the group.
Agreement with ShinyHunters
Soon after ShinyHunters removed Instructure from its data leak site, the company disclosed that it had reached an agreement with ShinyHunters to stop the public leak and ensure the stolen data was deleted. While the company did not outright state that it paid a ransom or directly confirm questions on the matter, extortion groups rarely agree to delete stolen data or halt leaks unless some form of payment or agreement has been reached.
The extortion gang updated its data leak site with a new statement claiming that the data has been destroyed and that schools do not need to independently contact them to negotiate. The statement reads:
We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved.
Committee Request for Testimony
The Homeland Security Committee is requesting that Instructure or a senior company representative participate in a briefing no later than May 21 to discuss both intrusions, the stolen data, its containment and notification efforts, and coordination with federal agencies. The committee wants to understand the company's incident response capabilities and its obligations to protect the data it stores.
- The committee is investigating the massive breach at Instructure that impacts millions of students.
- The ShinyHunters extortion gang claimed responsibility for the attack, stating that they stole 280 million data records.
- The company reached an agreement with ShinyHunters to stop the public leak and ensure the stolen data was deleted.
Source: BleepingComputer