U.S. Rep. Anderw Garbarino (R-NY) is asking for more information on two cyber intrusions that impacted platforms used by nearly 9,000 schools and universities.
In a letter to Instructure Holdings, Inc., Garbarino, chair of the House Committee on Homeland Security, asked for information about cyberattacks on the company’s platform, Canvas, reportedly carried out by the cybercriminal group ShinyHunters. Canvas is used by schools and universities across the country. ShinyHunters claims the incident involved data associated with hundreds of millions of users, but the full scope of the breach remains under investigation.
Garbarino asked in the letter about the potential exposure of student and faculty information, and the broader risks posed by repeated attacks against the education sector. Public reports indicated ShinyHunters posted ransom messages on Canvas login pages and gave Instructure Holdings and affected institutions until May 12, 2026 to engage before the group threatened to release stolen data.
“Within the span of one week, the cybercriminal group known as ShinyHunters breached Instructure twice. The group reportedly first struck on May 1, accessing personal data belonging to students and faculty across thousands of institutions, and struck again on May 7, defacing Canvas login pages nationwide and posting ransom demands directly on students’ screens,” Garbarino wrote. “With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern.”
Chairman Garbarino requested that Instructure brief the Homeland Security Committee on the nature of the breach, the extent of any compromised information, the company’s response to the incident and the steps it was taking to mitigate future risks.
“ShinyHunters is a well-documented criminal threat actor with an extensive record of large-scale data theft and extortion targeting major organizations across multiple sectors. The group has previously claimed responsibility for breaches at Ticketmaster, AT&T, and several other organizations,” the Congressman wrote. “They consistently employ the same operational playbook where they exploit a vulnerability, exfiltrate sensitive records, publicize the theft, and pressure the victim into paying a ransom to prevent public disclosure”