Canvas Hacks: Lawmakers Grill Instructure Over Repeated Breaches

U.S. lawmakers are grilling Instructure, the company behind the widely-used Canvas educational software. They want answers. Specifically, about repeated data breaches that have compromised the personal data of millions of students worldwide.

That's got the US House Homeland Security Committee asking tough questions. Committee chair Rep. Andrew Garbarino wants Instructure CEO Steve Daly to testify on the company's handling of these cyberattacks. It's part of a wider probe, with the Cybersecurity and Infrastructure Security Agency (CISA) even lending a hand.

*The breaches exploited the exact same vulnerability*. Hackers didn't just grab sensitive data. They even defaced school login pages. Twice. How did the same threat actor manage to get into Instructure's systems on two separate occasions? That's what lawmakers want to know.

Instructure says it cut a deal with the hackers, known as ShinyHunters. ShinyHunters supposedly promised to delete the stolen data. But what was the cost? Instructure isn't saying. Security experts are pretty clear: paying off hackers often just invites more trouble. And who trusts a hacker to actually delete anything?

What Lawmakers Are Asking

• How did hackers repeatedly access Instructure's systems?
• What specific data was compromised?
• Is Instructure even talking to CISA? And are schools being told what's happening?

Garbarino's letter slams Instructure's botched response. Systemic flaws, he says. Big ones. Schools depend on Canvas. That's why this matters so much.

Europe Watching Too

While this is mostly a U.S. problem right now, European schools using Canvas should probably be worried. The European Union's General Data Protection Regulation (GDPR) has tough data protection rules. These breaches? Could mean big trouble for compliance. And trust. Especially for American software firms selling over there.

For Canvas Users

If you're an educator or administrator using Canvas, staying in the loop is key. Does your school have a solid cybersecurity plan? Are you talking to Instructure for updates on their security measures? Honestly, if you're still worried, maybe look at other options.

Still No Answers

• Will Instructure's CEO actually show up to testify?
• How much did they pay ShinyHunters? If anything.
• What new security is Instructure even putting in place to prevent future breaches?

The Bottom Line

Instructure's data breaches lay bare some serious flaws in educational tech security. Online learning is everywhere. Good security isn't just nice to have; it's a must. Transparency. Accountability. Especially when it comes to student data. We need it.