The US House Committee on Homeland Security is investigating Instructure regarding recent cyberattacks that compromised its widely used online learning platform, Canvas. The inquiry demands detailed insights into the events that led to these disruptions, affecting the educational sector at large.
Details of the Cyberattack
An initial breach occurred on April 29, disrupting services dependent on API keys. Although Instructure restored functionality by May 3, another attack on May 7 saw hackers vandalizing school login portals. The notorious cyber group, ShinyHunters, has taken responsibility for these intrusions.
ShinyHunters claimed to have exfiltrated 3.65 terabytes of data, impacting 275 million students, educators, and personnel across approximately 9,000 educational institutions. This breach has raised significant concerns about data security within the education sector.
Response and Mitigation Efforts
In response, Instructure negotiated for the stolen data to be returned and removed from the hackers’ servers. The company identified a vulnerability in its Free-For-Teacher accounts, which was exploited during both attacks, and has since contained the incident.
On Monday, Instructure announced a temporary shutdown of Free-For-Teacher accounts, emphasizing their commitment to resolving the security issues associated with these accounts, which are integral to their platform.
Government Oversight and Concerns
The Committee on Homeland Security is pressing Instructure for a comprehensive briefing. This briefing should cover the circumstances surrounding both breaches, the types and extent of data accessed, and the measures taken to mitigate further risks and notify affected parties.
The Committee’s letter emphasized the incident’s impact on students and educational institutions, as well as the broader cybersecurity implications for the educational technology sector. It highlighted the need for effective coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).
The May 7 disruption affected universities and school districts across 11 states, amplifying the urgency of the matter. Given that Canvas serves over 30 million users globally, the breach poses a significant national concern, especially during critical academic periods like final examinations.
In conclusion, the government’s scrutiny of Instructure underscores the critical need for robust cybersecurity measures in educational technology platforms. The outcome of this investigation may set precedents for how cybersecurity risks are managed and disclosed in the future.
