Members of the U.S. House of Representatives are pressing for answers from Instructure, the educational software company that has experienced two significant data breaches, compromising the personal information of millions of students globally.
The House Homeland Security Committee is conducting an investigation into these incidents, as they fall under its purview concerning national security matters. Representative Andrew Garbarino, the committee chair, has formally requested Instructure's CEO, Steve Daly, to provide testimony regarding the company's handling of these cyberattacks.
The committee aims to understand the methods employed by hackers to infiltrate Instructure's systems repeatedly and the nature of the data that was compromised. Garbarino's correspondence highlights the need for clarity on how Instructure is addressing these breaches and informing affected educational institutions. Additionally, the committee seeks to evaluate the effectiveness of Instructure's collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
Instructure, known for its widely used Canvas platform, has faced scrutiny regarding its response to the breaches. Reports indicate that hackers exploited the same vulnerability to both extract sensitive student data and deface school login pages.
This week, Instructure acknowledged that it had "reached an agreement" with the hackers, asserting that they provided proof of deleting the stolen data. However, representatives from the hacking group, known as ShinyHunters, indicated that they would cease extorting the company and its clients, although they did not disclose the ransom amount paid.
Experts in cybersecurity caution that paying ransoms can inadvertently finance future cyberattacks, as hackers may retain access to stolen data despite claims of deletion.
Garbarino expressed concerns regarding the implications of the second breach by the same group, raising doubts about Instructure's capability to manage such incidents and its responsibilities to the educational institutions and individuals whose data is at stake.
He emphasized that the scale and timing of the breaches reflect systemic vulnerabilities that the committee must investigate thoroughly.
As of now, Instructure has not announced whether it will respond to the committee's request or if Daly or another cybersecurity official will testify.
A spokesperson for Instructure has not provided any comments regarding the situation.
