US House lawmakers are demanding representatives from twice-hacked education software maker Instructure provide information about the company’s response to cyberattacks that allowed hackers to steal the personal data of millions of students worldwide.
The House Homeland Security Committee is investigating the hacks and data breach as it has jurisdiction over government activities related to homeland security, committee chairman Rep. Andrew Garbarino wrote. a letter to Instructure CEO Steve Daly; The US cyber security agency CISA has been called in to help with the incident.
The committee is asking Daly or another senior executive to look into how hackers repeatedly broke into Instructure’s systems and disclose the types of data that were obtained, Garbarino said in the letter, which cites the TechCrunch report.
The letter also says lawmakers want to know how the company responds to attacks and notifies affected schools and seeks to review the adequacy of its coordination with CISA.
Instructure, which makes the popular Canvas school information portal software, has faced criticism for its response to the attacks, especially after admitting that hackers exploited the same vulnerability to steal reams of sensitive student data and then falsify school login pages.
The company confirmed this week that it had “reached a settlement” with the hackers and claimed that the hackers had provided evidence that they had deleted the stolen data. A spokesperson for the ShinyHunters hackers told TechCrunch that they would not continue to extort the company or its customers, but declined to say how much the company had paid in ransom.
Security experts have long argued that paying hackers only continues to fund future attacks. Hackers are known to retain stolen data even after they claim to have deleted it, often in hopes of blackmailing victims again.
Garbarino said the second breach by the same hackers raises “serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it owns.”
“The scale and timing of the Directive breach, and the demonstrated inability of a major education technology vendor to contain a threat actor after an initial intrusion, are exactly the type of systemic vulnerabilities this Committee has a responsibility to examine,” Garbarino wrote in the letter.
Instructure has not yet said whether it will respond to the letter or whether Daly — or whoever is responsible for cybersecurity at the company — will attend the closed-door briefing of lawmakers.
Instructure spokesman Brian Watkins did not respond to TechCrunch’s request for comment on Wednesday.
Updated May 14 to note that lawmakers are seeking a closed-door briefing, not public testimony.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
