US lawmakers demand answers from Instructure after Canvas data breach

US House lawmakers want representatives from Instructure, the twice-hacked education software maker, to testify about the company’s efforts to combat cyberattacks that allowed hackers to steal the personal information of millions of students around the world.

The House Homeland Security Committee is investigating hacking and data breaches because it has jurisdiction over government affairs related to national security, the committee’s chairman, Representative Andrew Garbarino, said. letter to Chief Executive Officer Steve Daly. The US cyber security agency CISA has been called in to help with the matter.

The committee wants Daly’s testimony to resolve it how hackers repeatedly broke into Instructure’s systems and disclose the types of data collected, Garbarino said in the letter, which cites TechCrunch reports. The letter also says that lawmakers want to know how the company works and inform the schools involved and look to see if its agreement with CISA is sufficient.

Education, which makes the popular school information app Canvas, has been criticized for its response to the attack, especially after admitting that the attackers used a similar vulnerability to steal students’ personal information later. change school entrance pages.

The company confirmed this week that “collaborated” with the criminals and said the thieves gave evidence that they removed the stolen items. A representative of the ShinyHunters hackers told TechCrunch that they will not continue to target the company or its customers, but declined to say how much the company paid in ransom.

Security experts have long argued that defrauding payers only increases future costs. Hackers are known keep the stolen information even if they say they will remove it, usually in the hope of recapturing the victims.

Garbarino said the second hacker breach raises “serious questions about how the company will respond to what’s happening and its responsibility to the organizations and individuals whose data it owns.”

“The magnitude and duration of the Education breach, and the failure of a major education technology vendor to contain threats after initial intervention, is what the Committee is responsible for evaluating,” Garbarino said in the letter.

Education has not yet said whether it will respond to the letter, or whether Daly – or anyone else with a position at the company – will testify.

Education spokesman Brian Watkins did not respond to TechCrunch’s request for comment on Wednesday.