House Committee on Homeland Security Chairman Andrew R. Garbarino sent a letter on May 11 to Instructure Holdings, Inc., requesting information about two recent cyber intrusions targeting the company’s platform, Canvas. The attacks, reportedly carried out by the group ShinyHunters, disrupted access to the widely used educational platform during final exams and end-of-semester deadlines. The incidents affected students, educators, and administrators at nearly 9,000 institutions nationwide.
The timing of these breaches is significant because many students were relying on Canvas for coursework and exams. ShinyHunters claimed that data associated with hundreds of millions of users was involved in the breach, though investigations are ongoing to determine the full scope.
In his letter to Instructure Holdings, Garbarino raised concerns about how much information may have been exposed and what steps are being taken to address ongoing risks. He said that public reports indicate ShinyHunters posted ransom messages on Canvas login pages and set a deadline of May 12 for engagement before threatening to release stolen data.
Garbarino wrote, “Within the span of one week, the cybercriminal group known as ShinyHunters breached Instructure twice. The group reportedly first struck on May 1, accessing personal data belonging to students and faculty across thousands of institutions, and struck again on May 7, defacing Canvas login pages nationwide and posting ransom demands directly on students’ screens. With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern.”
He continued: “ShinyHunters is a well-documented criminal threat actor with an extensive record of large-scale data theft and extortion targeting major organizations across multiple sectors. The group has previously claimed responsibility for breaches at Ticketmaster, AT&T, and several other organizations. They consistently employ the same operational playbook where they exploit a vulnerability, exfiltrate sensitive records, publicize the theft, and pressure the victim into paying a ransom to prevent public disclosure. The group has increasingly targeted the education sector... The recurrence of an intrusion within days... raises serious questions about [Instructure's] incident response capabilities.”
Garbarino concluded: “The Committee has broad jurisdiction over cybersecurity threats... including security of critical digital infrastructure... CISA... serves as the nation’s lead civilian cybersecurity agency... The scale and timing of the Instructure breach... are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”
Recent committee activity includes hearings focused on cyber-enabled crime funding criminal organizations; roundtables with federal officials in California regarding critical infrastructure; discussions about improving federal-private sector collaboration in cybersecurity; inquiries into network outages affecting communications; and calls for greater coordination between public- and private-sector entities.
