The US House of Representatives is demanding testimony from representatives of Instructure, the twice-hacked company that owns the education platform Canvas. Lawmakers are seeking answers to explain the company's delayed response to cyberattacks that enabled bad actors to scrape the personal information of millions of students and teachers nationwide.

Instructure revealed this week that it had reached a deal with the hacker group ShinyHunters, under which the hackers would destroy copies of user data and agree not to extort users. ShinyHunters had hacked the platform first in April and again last week, and claimed to have targeted thousands of universities and school districts. 

The House Homeland Security Committee said it is investigating the hack alongside the Cybersecurity and Infrastructure Security Agency. CISA has been working with Instructure as one of the "outside forensics experts" the company refers to in its incident FAQs, helping to "contain the activity, investigate and apply additional safeguards."

Now the House committee's chair, Rep. Andrew Garbarino, is examining whether Instructure's coordination with CISA was adequate in this situation. In a letter sent to Instructure CEO Steve Daly, Garbarino, a New York Republican, demanded to know how the company was hacked more than once. The House committee also wants more specific information about the types of sensitive information stolen during the hack.

Instructure said the personal data stolen during the Canvas hack included "information like usernames, email addresses, course names, enrollment information and messages."

The agreement with ShinyHunters called for the hackers to delete the data. Instructure said "there is never complete certainty when dealing with cybercriminals," but that it received digital confirmation, in the form of shred logs, that the stolen data had been deleted.

Instructure cautioned affected Canvas users against individual attempts to contact or bargain with the ShinyHunters group, saying its agreement "covers all impacted Instructure customers."

The hacker group first infiltrated Canvas systems on April 29, using a security flaw tied to Free-For-Teacher accounts. This allowed ShinyHunters to scrape personal information tied to students and educators.

While we don't know exactly how many institutions were affected, the hackers claimed they had targeted more than 9,000 universities and public school districts. Canvas is used in K-12 schools, so it's likely that the breach exposed sensitive information of underage students.

The situation escalated when the hackers cracked Instructure's security for a second time on May 7, leaving a message exposing their illicit activity to anyone attempting to sign in to Canvas. Instructure promptly moved Canvas into maintenance mode, during which students were unable to access the service.

If the ShinyHunters name sounds familiar, it's because it's a well-established collective of ransomware hackers. ShinyHunters is the same team that breached Anodot and absconded with some of Rockstar Games' business data in April.

Its previous targets largely consist of large tech companies like Microsoft, Cisco and AT&T, but the hackers have also ransomed information from insurance companies, credit unions and other institutions that handle sensitive data.

Canvas is currently operational, although the Free-For-Teacher accounts have been temporarily disabled as Instructure continues to investigate the exploit used to breach its systems.

Instructure asked customers to continue monitoring their accounts, though its external forensic partner has "found no evidence that the threat actor currently has access to the platform."

Instructure is organizing a webinar for its customers in order to "detail information about the cyberattack and [Instructure's] activities to harden the system." It's currently unclear when these will take place, despite the company's incident update page indicating that they're slated for May 13.

When reached for comment, an Instructure representative pointed CNET to the company's official incident page.

Is the stolen data really destroyed? There's no way to be sure

Instructure reached an agreement with the ShinyHunters hackers, defying the conventional wisdom of industry experts and the FBI's cybercrime division. Once the information is out there, paying a ransom doesn't guarantee it'll ever stop moving between bad actors.

Worse still, Instructure's ransom payment might incentivize ShinyHunters or other ransomware hacker groups to look for more victims.

"It's a very worrying example to see such a high-profile incident result in a payment, especially when acknowledged by the victim company in this fashion," said Troy Hunt, founder and CEO of Have I Been Pwned, a website that keeps track of password info exposed by data breaches. "Unfortunately, it's now a very clear example of how crime does pay, and it normalizes the pattern for future criminals and victims alike."

Hunt speculated that the decision was likely influenced by the scope and scale of the incident. This was a high-exposure data breach, and Instructure is subject to pressure from schools and parents, especially since they handle sensitive information related to underage children.

Watch this: What to do if your personal information is part of a data breach

02:41

But at the end of the day, there's no way to guarantee that the stolen data has actually been destroyed -- absolute certainty doesn't exist with ransomware cybercrime.

"There could always be another copy," Hunt said. "Instructure's message about 'shred logs' provides no proof whatsoever that all copies of data were deleted."

Hunt pointed to a similar ransomware attack on the education company PowerSchool in December 2024. Though the company paid a sum in exchange for a supposed video of the hackers deleting the stolen data, copies of the sensitive information were later used to extort teachers for additional money.

We can't be sure whether ShinyHunters will use stolen Instructure customer data in the same way, but there's just no guarantee that they don't still have sensitive data of millions of US students.

If you were affected by the recent Canvas hack, it might be time to look into steps you can take to protect yourself from cybercriminals who may have your personal information.