Congress investigates Canvas breach as company pays ransom

The US Congress has summoned education tech firm Instructure's CEO Steve Daly to the Hill to explain how digital thieves breached its Canvas online platform twice within two weeks. In a letter sent to the digital learning giant late Monday - around the same time Instructure said it had reached an agreement" with extortion crew ShinyHunters - the US House Homeland Security Committee requested" that Daly or a senior representative" schedule a briefing with the committee as part of its investigation into the hacks. The briefing should address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company's coordination with federal law enforcement and CISA," Homeland Security Committee Chairman Andrew Garbarino (R-NY) wrote [PDF]. With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern," Garbarino said. Also late Monday, the education tech giant said it "reached an agreement with the unauthorized actor involved in this incident." Both Instructure and ShinyHunters, the cyber gang that claimed to have stolen data affecting up to 275 million students, teachers, and staff, claimed that this agreement" involved deleting all of the stolen files. In other words: the company paid the undisclosed extortion demand prior to the Tuesday deadline, at which time ShinyHunters said they would leak all of the 8,800 colleges, universities, and K-12 schools' records. "We received digital confirmation of data destruction (shred logs)," Instructure said, adding "We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise." The Reg has learned that ShinyHunters abused XSS vulnerabilities in Canvas' Free-for-Teacher learning software, and the bugs allowed the data thieves to obtain administrative access. During the first intrusion, which Instructure detected on April 29, the extortionists claimed to have stolen about 3.6 TB of uncompressed data, including usernames, email addresses, course names, enrollment information, and messages. On May 7, the crooks broke back into Canvas' systems via the same vulnerability and injected JavaScript containing ransom demands directly into hundreds of Canvas school login portals, causing the ed-tech firm to take the platform offline for a day - during final exams and Advanced Placement testing for many. This is the second known security incident involving ShinyHunters and Instructure in less than a year. The extortion crew also breached Instructure's Salesforce environment in September 2025. Instructure plans to hold a public webinar on Wednesday with the leadership team to detail information about the cyber attack and our activities to harden the system," which will be held across multiple time zones." (R)