The US House Committee on Homeland Security has asked Instructure to provide details on the recent cyberattacks that disrupted its broadly used online learning system Canvas.
An initial intrusion on April 29 was blamed for the disruption of tools relying on API keys. The education technology company restored the services by May 3, but took them offline again on May 7, after the hackers returned and defaced school login portals.
The attack was claimed by the notorious extortion group ShinyHunters, which allegedly stole 3.65 terabytes of data, including the personal information of 275 million students, teachers, and other individuals at approximately 9,000 education institutions.
This week, Instructure revealed that it struck a deal to have the stolen data returned and erased from the hackers’ servers. It also noted that an issue with its Free-For-Teacher accounts was exploited in both intrusions and that the incident has been fully contained.
“As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we’re committed to resolving the issues with these accounts,” the company said on Monday.
Now, the Committee on Homeland Security is summoning Instructure to a briefing, demanding answers on how the intrusion occurred, what types of data were affected, and how the company resolved the attack.
“The briefing should address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and CISA,” the Committee told Instructure in a letter (PDF) this week.
“The Committee takes seriously both the harm to students and educational institutions caused by this incident and the broader implications for how the educational technology sector manages and discloses cybersecurity risks,” the letter reads.
According to the Committee, the May 7 disruption impacted universities and school districts across 11 states, and ShinyHunters’ past attacks against Ticketmaster, AT&T, and various educational institutions are evidence of the threat it poses.
“With students at more than 8,000 institutions navigating final examinations and end-of-semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern,” the letter reads.
Related: 716,000 Impacted by OpenLoop Health Data Breach
Related: BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months
Related: West Pharmaceutical Services Hit by Disruptive Ransomware Attack
