U.S. House lawmakers are demanding that Instructure, the education software maker that has been hacked twice, testify regarding its response to cyberattacks that resulted in the theft of millions of students’ personal data globally.
The House Homeland Security Committee is investigating the data breach as part of its jurisdiction over homeland security activities, as stated by the committee’s chair, Representative Andrew Garbarino, in a letter to Instructure’s CEO, Steve Daly. The U.S. cybersecurity agency CISA has been enlisted to assist with the incident.
The committee seeks Daly’s testimony to address repeated breaches of Instructure’s systems and to reveal the types of data stolen, according to Garbarino’s letter, which cites TechCrunch reports. Lawmakers also want to understand the company’s response to the attacks, how affected schools are being notified, and the adequacy of coordination with CISA.
Instructure, maker of the popular Canvas school portal software, has been criticized for its response to the attacks, particularly after admitting that a vulnerability was exploited to steal sensitive student data and deface school login pages.
The company recently confirmed reaching an agreement with the hackers, claiming they provided proof of data deletion. A representative for the ShinyHunters hackers told TechCrunch they wouldn’t continue extorting the company or its customers but did not disclose any ransom details.
Security experts warn that paying hackers often funds further attacks and that stolen data may be retained for future extortion attempts.
Garbarino stated that the second breach by the same hackers calls into question the company’s incident response capabilities and its obligations to those whose data it holds.
“The scale and timing of the Instructure breach, and the inability of a major educational technology vendor to contain a threat actor post-intrusion, represent systemic vulnerabilities this Committee must examine,” Garbarino wrote.
Instructure has not yet announced whether it will respond to the letter or if Daly—or whoever is responsible for cybersecurity at the company—will testify.
Instructure spokesperson Brian Watkins did not respond to TechCrunch’s request for comment on Wednesday.