U.S. Congress Investigates Instructure After Repeated Cybersecurity Attacks

May 13, 2026, 21:24

Introduction

The U.S. House Homeland Security Committee has asked Instructure, the company that owns the Canvas educational platform, to provide testimony. This request follows two separate cyberattacks that put the personal information of millions of users at risk.

Main Body

The security problems began on April 29, when a hacking group called ShinyHunters used a weakness in 'Free-For-Teacher' accounts to steal usernames, email addresses, and enrollment data. A second attack happened on May 7, where the hackers changed the appearance of login pages, forcing the platform into maintenance mode. The impact is significant, as the hackers claim to have targeted about 9,000 schools, which may have exposed the private data of many students. Instead of following the standard security advice from the FBI, Instructure paid the hackers to delete the stolen data. The company emphasized that this agreement worked because they received 'shred logs' as proof of deletion. However, security experts, such as Troy Hunt, have questioned if these logs are reliable. They argued that hackers often keep secret copies of data, pointing to a similar case with PowerSchool in 2024 where paying a ransom did not stop further attacks. Consequently, Representative Andrew Garbarino has started an investigation into whether Instructure worked effectively with the Cybersecurity and Infrastructure Security Agency (CISA). The committee is focusing on why the company failed to stop the hackers after the first attack and whether their overall response plan was sufficient. While Instructure has now disabled the problematic account types, the decision to pay the hackers remains a major point of debate.

Conclusion

Instructure's systems are now working normally, but the company is still being investigated by the government regarding its data protection failures and its choice to pay the ransom.

Learning

💡 The Power of "Whether"

At the A2 level, you probably use "if" for everything. Example: "I don't know if it is raining."

To reach B2, you need to master "whether." It is used when there are two clear, opposite possibilities (Yes or No / This or That). It makes your English sound more formal and precise, especially in professional or academic reports.

Look at the text:

"...an investigation into whether Instructure worked effectively..."

In this sentence, the government is asking: Did they work effectively? Yes or No? Using "whether" here shows a formal investigation of a choice or a fact.

🛠️ Leveling Up Your Vocabulary: Cause & Effect

Stop using "so" for every result. B2 speakers use connectors to link complex ideas. Look at this transition from the article:

Consequently $\rightarrow$ This is a high-level way to say "Because of this / As a result."

A2 style: The company paid the hackers, so the government is investigating. B2 style: The company paid the hackers; consequently, the government has started an investigation.

🚩 Red Flag: The "False Security" of Simple Verbs

Notice how the text describes the problem. It doesn't just say "the hackers took data." It uses precise verbs:

Exposed: To make something visible that should be hidden.
Disabled: To turn something off so it cannot be used.
Questioned: To express doubt about whether something is true.

Pro Tip: To move toward B2, replace general verbs (like get, take, put, do) with specific ones that describe the action more accurately.

Vocabulary Learning

investigation (n.)

a formal inquiry or examination into a matter

Example:The committee launched an investigation into the data breach.

cybersecurity (n.)

the practice of protecting computers, networks, and data from theft or damage

Example:Cybersecurity measures are essential for online businesses.

attacks (n.)

violent or aggressive acts against a target, often in a digital context

Example:The company faced several attacks on its servers.

platform (n.)

a software system that provides services or features to users

Example:The Canvas platform is used by many schools worldwide.

deletion (n.)

the act of removing or erasing data

Example:The deletion of the stolen files was confirmed by logs.

proof (n.)

evidence that something is true or real

Example:The logs served as proof that the data had been deleted.

reliable (adj.)

trustworthy or dependable

Example:The logs were not considered reliable by experts.

ransom (n.)

money demanded for the release of something

Example:They paid a ransom to the hackers to stop the attacks.

agency (n.)

an organization that provides a specific service

Example:The Cybersecurity and Infrastructure Security Agency works to protect national infrastructure.

response (n.)

a reaction or action taken in reply to something

Example:The company's response plan was criticized for being too slow.

plan (n.)

a detailed proposal for achieving a goal

Example:The response plan was reviewed by the committee.

failure (n.)

the lack of success or the inability to meet expectations

Example:The data protection failure led to a government investigation.

protect (v.)

to keep safe from harm or danger

Example:The company must protect user data from breaches.

decision (n.)

a conclusion or choice made after consideration

Example:The decision to pay the hackers was controversial.

debate (n.)

a discussion or argument about a topic

Example:There is a debate about whether paying ransom is effective.