WASHINGTON, D.C. –– Today, House Committee on Homeland Security Chairman Andrew R. Garbarino (R-NY) sent a letter to Instructure Holdings, Inc. requesting information on two recent cyber intrusions targeting the company’s platform, Canvas, which were reportedly carried out by the cybercriminal group known as ShinyHunters. Canvas is widely used by schools, colleges, and universities across the country, and the most recent intrusion occurred during final exams and end of semester deadlines, disrupting access to a platform that students, educators, and administrators rely on for coursework, assignments, exams, and classroom communications. ShinyHunters has claimed the incident involves data associated with hundreds of millions of users across nearly 9,000 institutions, though the full scope of the breach remains under investigation.

In the letter, Chairman Garbarino raised serious concerns about the scope and timing of the incident, the potential exposure of student and faculty information, and the broader risks posed by repeated cyberattacks against the education sector. According to public reports, ShinyHunters posted ransom messages on Canvas login pages and gave Instructure and affected institutions until May 12, 2026, to engage before the group threatened to release stolen data.

Chairman Garbarino requested that Instructure brief the Committee on the nature of the breach, the extent of any compromised information, the company’s incident response, and the steps it is taking to mitigate ongoing and future risks.

Chairman Garbarino wrote, “Within the span of one week, the cybercriminal group known as ShinyHunters breached Instructure twice. The group reportedly first struck on May 1, accessing personal data belonging to students and faculty across thousands of institutions, and struck again on May 7, defacing Canvas login pages nationwide and posting ransom demands directly on students’ screens. With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern.”

Chairman Garbarino continued, “ShinyHunters is a well-documented criminal threat actor with an extensive record of large-scale data theft and extortion targeting major organizations across multiple sectors. The group has previously claimed responsibility for breaches at Ticketmaster, AT&T, and several other organizations. They consistently employ the same operational playbook where they exploit a vulnerability, exfiltrate sensitive records, publicize the theft, and pressure the victim into paying a ransom to prevent public disclosure. The group has increasingly targeted the education sector, including a separate breach at Infinite Campus, a K-12 student information system, and McGraw Hill, a major educational publisher. The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds.”

Chairman Garbarino concluded, “The Committee has broad jurisdiction over cybersecurity threats to the United States, including the security of critical digital infrastructure and the federal government’s efforts to assist the private sector in defending against and responding to such threats. The Cybersecurity and Infrastructure Security Agency (CISA), which this Committee oversees, serves as the nation’s lead civilian cybersecurity agency and has a direct role in supporting organizations that have experienced significant cyber incidents. The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”

Read the full letter to Instructure here. 

Background:

Last month,  the Subcommittee on Cybersecurity and Infrastructure Protection and the Subcommittee on Border Security and Enforcement convened a hearing to examine how criminal organizations increasingly rely on cyber-enabled crime to fund their illicit activities, posing a growing risk to public safety and critical infrastructure.

Chairman Garbarino also joined Rep. Vince Fong (R-CA) last month in California for a roundtable with officials from the Cybersecurity and Infrastructure Security Agency (CISA) and representatives from the Central Valley’s military installations, local and state government, and critical infrastructure sectors, to ensure federal efforts are aligned with challenges facing the communities responsible for securing essential systems. 

In January, the Subcommittee on Cybersecurity and Infrastructure Protection held a hearing to discuss how the federal government and private sector can more effectively collaborate to build up a forward-leaning cyber posture. 

Also that month, Chairman Garbarino sent letters to Verizon and the Federal Communications Commission after a nationwide outage left many customers unable to call or text for several hours, raising significant questions about the resilience of Verizon’s network and the security of communications relied upon by more than 40,000 public safety agencies and millions of Americans.

Last Cybersecurity Awareness Month, Chairman Garbarino published an op-ed on the importance of public-private sector coordination to mitigate cybersecurity risks. 

###