US govt seeks Instructure testimony on massive Canvas cyberattack

The U.S. House Committee on Homeland Security has demanded testimony from Instructure executives regarding two cyberattacks launched by ShinyHunters, an extortion group that compromised the Canvas learning management platform. The attacks resulted in the theft of student data and caused operational disruptions at schools during critical exam periods.

ShinyHunters, a known extortion outfit operating since at least 2020, targeted Canvas users across multiple institutions. The threat actors exfiltrated personal information belonging to students and staff before demanding ransom payments. The timing of the attacks during final exam periods amplified the operational impact, forcing schools to manage both data breach investigations and academic schedule disruptions simultaneously.

Canvas serves millions of students and educators globally as a central hub for course management, assignment submission, and grade tracking. The platform's role in educational infrastructure makes it a high-value target. A compromise affecting Canvas puts sensitive personal identifiable information at direct risk, including names, email addresses, enrollment records, and potentially financial aid details.

The House Committee's subpoena signals congressional concern about both the frequency of attacks against educational technology providers and the inadequacy of current security postures. Lawmakers intend to examine Instructure's incident response timeline, the scope of exposed data, notification procedures, and remediation efforts. The hearing will likely explore whether Instructure disclosed the breaches promptly to affected institutions and students, as required under various state data protection laws.

For organizations relying on Canvas, the attacks underscore the need for enhanced monitoring of learning management systems and verification of vendor security practices. Educational institutions increasingly face targeted attacks because they operate on tight budgets with legacy systems and often house centralized repositories of student data. The ShinyHunters incidents demonstrate that even established SaaS platforms can suffer significant compromises.

Instructure has not disclosed complete details about exploitation vectors or specific Canvas versions affected. Organizations should review access logs,