The U.S. House Committee on Homeland Security is demanding answers from **Instructure** following two cyberattacks by the **ShinyHunters** extortion group that compromised the company’s **Canvas** platform. The breaches resulted in the theft of student data and caused significant disruptions to schools, particularly during final exams. ### Congressional Investigation Launched In a letter addressed to **Instructure** CEO Steve Daly, Homeland Security Committee Chairman **Andrew R. Garbarino** stated that the committee is investigating the massive breach impacting millions of students. The letter highlights the severity of the incidents and the potential impact on educational institutions. "The Committee on Homeland Security (Committee) is investigating the concerning reports related to recent cybersecurity incidents affecting Instructure Holdings, Inc. and the tens of millions of students, educators, and administrators who rely on its Canvas learning management platform," reads the letter. The committee emphasized that the **ShinyHunters** group breached **Instructure** twice within a single week. ### Details of the Breaches As previously reported by BleepingComputer, **Instructure** disclosed on May 3rd that it had suffered a data breach. The company confirmed that the intrusion was detected on April 29th, revealing that threat actors had compromised systems and stolen data belonging to students and school staff using **Canvas**. According to **Instructure**, the exposed information included names, email addresses, student identification numbers, and messages exchanged between students and teachers on the platform. Critically, the data did not include passwords, financial information, or government identifiers. ### ShinyHunters' Claims On May 3rd, the **ShinyHunters** extortion gang claimed responsibility for the attack, stating that they stole 280 million data records from 8,809 colleges, school districts, and online education platforms. The threat actors shared a list of impacted education organizations, with stolen record counts ranging from tens of thousands to several million for each institution.  *Instructure listing on the ShinyHunters data leak site. Source: BleepingComputer* The **ShinyHunters** group also conducted a second attack, defacing **Canvas** login portals at schools and universities across the United States. These defacements displayed extortion messages demanding that **Instructure** negotiate with the group. This disruption affected institutions across multiple states during critical end-of-semester activities, forcing some colleges to cancel exams.  *ShinyHunters' message on the University of Texas San Antonio's Canvas login page. Source: BleepingComputer* It was later revealed that the threat actors exploited multiple cross-site scripting (XSS) vulnerabilities to obtain authenticated admin sessions and modify the login portal pages. ### Impacted Institutions and Response The Homeland Security Committee letter indicates that schools in numerous states, including California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin, reported disruptions related to the incident. The committee also noted that the attackers claimed they targeted **Instructure** again because the company refused to negotiate initially. ### Agreement Reached Shortly after **ShinyHunters** removed **Instructure** from its data leak site, **Instructure** disclosed that it had reached an agreement with the group to halt the public leak and ensure the stolen data was deleted. While **Instructure** did not explicitly confirm paying a ransom, it is uncommon for extortion groups to delete stolen data or cease leaks without some form of payment or agreement. The extortion gang updated its data leak site with a statement claiming that the data has been destroyed and that schools do not need to contact them for negotiation. "We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved," reads the **ShinyHunters** update. "The Company and it's customers will not further be targeted or contacted for payment. The data is nonexistent." ### Congressional Scrutiny The Homeland Security Committee stated that the repeated compromises raise "serious questions" about **Instructure's** incident response capabilities and its obligations to protect the data it stores. The committee has requested that **Instructure** participate in a briefing no later than May 21st to discuss both intrusions, the stolen data, containment and notification efforts, and coordination with federal agencies.