Congress Puts Heat on Instructure After Canvas Outage

The House Committee on Homeland Security escalated pressure on Instructure following a major Canvas outage tied to criminal activity. The committee sent a formal letter the same day Instructure announced it had reached an agreement with ShinyHunters, the threat actors responsible for the incident.

Canvas, Instructure's learning management system, serves millions of students and educators across educational institutions globally. The outage disrupted access to course materials, assignments, and grades during a critical period for the academic calendar. ShinyHunters claimed responsibility for the attack and initially threatened to sell stolen data.

The House committee's intervention signals congressional concern about the security of critical educational infrastructure. Lawmakers are scrutinizing how Instructure handled the incident, the scope of data exposure, and what safeguards existed to prevent such attacks. Educational platforms store sensitive information including student records, financial data, and personal identifiable information.

Instructure's agreement with ShinyHunters remains opaque regarding specific terms. Typically, such arrangements involve ransom payments or commitments to cease data sales. The company stated it was working to restore services and had engaged law enforcement and cybersecurity firms to investigate.

The timing of both announcements on the same day raises questions about the incident's severity and response timeline. For institutions relying on Canvas, the outage created operational chaos. Teachers could not post assignments. Students could not submit work or access grades. Administrative functions halted.

ShinyHunters operates as a ransomware-as-a-service affiliate, conducting attacks against high-value targets and selling access to stolen databases. Previous targets included retailers, healthcare providers, and technology companies. Their involvement with Canvas underscores how education remains an attractive target for criminal groups seeking ransom payments or data sales.

Instructure faces mounting pressure to demonstrate it strengthened security controls and improved incident response capabilities. The congressional letter likely requests detailed information about the