US lawmakers press Instructure over the Canvas cyberattacks disrupting schools

US lawmakers are escalating scrutiny of Instructure after two attacks on its Canvas learning platform exposed student data and disrupted schools during final exams. In a letter sent this week, the House Committee on Homeland Security asked the company to brief Congress by May 21 about what happened, how the intrusions were contained, and how Instructure is coordinating with federal agencies.

This matters because Canvas is core infrastructure for colleges, school districts, and online programs. A breach in a learning management system does not just create privacy risk. It can also interrupt exams, coursework, teacher-student communication, and administrative workflows at the worst possible moment in the academic calendar.

According to BleepingComputer, which first reported key parts of the incident, Instructure said it detected the original intrusion on April 29 and later confirmed that attackers stole names, email addresses, student ID numbers, and messages exchanged between students and teachers. The company said passwords, financial data, and government identifiers were not part of the exposed dataset. ShinyHunters claimed it stole 280 million records from 8,809 schools, colleges, and education platforms, though that figure comes from the attackers and should be treated cautiously until independently verified.

The second phase of the campaign appears to have raised the stakes for regulators. Attackers reportedly defaced Canvas login portals at institutions across multiple states, posting extortion messages and forcing some schools to cancel exams. BleepingComputer also reported that the attackers used multiple cross-site scripting vulnerabilities to hijack authenticated admin sessions and alter login pages. The Homeland Security Committee said schools in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin reported related disruptions.

The congressional demand for testimony turns this from a large education-sector breach into a broader accountability story. If federal investigators conclude that Instructure’s response or platform security fell short, the fallout could extend beyond breach notifications to procurement reviews, regulatory pressure, and tougher security expectations for software used by public institutions. As first reported by BleepingComputer, Instructure has since reached an agreement intended to stop the public leak of the stolen data, though the company did not directly say whether a ransom was paid.