U.S. lawmakers are seeking testimony from Instructure executives following cyberattacks that compromised the company’s systems twice and exposed personal information belonging to millions of students worldwide. The inquiry comes as federal officials examine how hackers repeatedly accessed the education software provider’s infrastructure and how the company responded to the breaches.
The House Homeland Security Committee is investigating the incidents, according to a letter sent by committee chair Andrew Garbarino to Instructure chief executive Steve Daly.
Garbarino wrote that the committee is reviewing the breaches because it oversees matters tied to homeland security and cybersecurity risks affecting public institutions. The letter also confirmed that the Cybersecurity and Infrastructure Security Agency has been involved in assisting with the incident response.
Lawmakers Question Incident Response
The committee is requesting Daly’s testimony to explain how hackers repeatedly infiltrated Instructure’s systems and what categories of data were stolen during the attacks.
According to the letter, lawmakers also want details regarding the company’s response procedures, how affected schools were notified, and whether coordination with CISA was sufficient.
The investigation follows criticism directed at Instructure after the company acknowledged that attackers exploited the same vulnerability during both breaches.
Hackers not only stole large amounts of student and staff data but also later defaced school login pages connected to the company’s Canvas platform.
The article noted that Instructure recently confirmed it had “reached an agreement” with the hackers involved in the attacks.
A representative from the cybercrime group ShinyHunters previously told TechCrunch that the group would not continue extorting the company or its customers and claimed the stolen data had been deleted.
However, neither Instructure nor the hackers disclosed the amount of any ransom payment tied to the agreement.
Concerns Over Paying Hackers
Security researchers and cybersecurity experts have long argued against paying ransom demands because such payments can finance future cyberattacks.
The article also noted that some cybercriminal groups have previously retained stolen data even after claiming it had been deleted, later using the information in additional extortion attempts.
Garbarino stated in the letter that the second breach involving the same attackers raised concerns about Instructure’s security practices and incident response capabilities.
“The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine,” Garbarino wrote.
As of Wednesday, Instructure had not publicly stated whether Daly or another executive responsible for cybersecurity would testify before the committee.
Featured image credits: Mordor Intelligence
For more stories like it, click the +Follow button at the top of this page to follow us.