US Government Checks Canvas Company After Data Theft (CEFR Compare)

May 13, 2026, 21:24

US Government Checks Canvas Company After Data Theft

Introduction

The US government wants to talk to Instructure. This company owns Canvas. Hackers stole personal information from millions of people.

Main Body

Hackers attacked Canvas two times in May. They stole names and emails from students and teachers. Many schools had this problem. Instructure paid money to the hackers. The company says the hackers deleted the data. But experts say this is a bad idea. They say hackers often keep the data. Now, a government leader named Andrew Garbarino is asking questions. He wants to know why the company did not stop the hackers. He wants to know if the company followed the rules.

Conclusion

Canvas is working now. But the government is still checking the company and its mistakes.

Learning

⚡ The 'Action' Words (Past Tense)

In this story, everything happened in the past. To move to A2, you must see how words change to show something is finished.

The Pattern: Most words just add -ed at the end.

Attack $\rightarrow$ Attacked
Pay $\rightarrow$ Paid (This one is special!)
Want $\rightarrow$ Wanted (implied context)

Real Examples from the Text:

"Hackers attacked Canvas" "Instructure paid money"

📦 Grouping Things (Plurals)

Notice how the text talks about more than one person. Just add -s.

Hacker $\rightarrow$ Hackers
School $\rightarrow$ Schools
Question $\rightarrow$ Questions

Pro Tip: When you see an -s at the end of a noun, it means many, not one.

Vocabulary Learning

government (n.)

A group of people who make laws for a country.

Example:The government announced new rules for safety.

company (n.)

A business that sells goods or services.

Example:She works for a small company in town.

hackers (n.)

People who break into computers to steal information.

Example:Hackers can steal personal data from your phone.

personal (adj.)

Relating to a private person, not public.

Example:He kept his personal diary in a safe.

information (n.)

Facts or knowledge about something.

Example:The website gives useful information to visitors.

students (n.)

People who study at school or university.

Example:The students listened carefully to the teacher.

teachers (n.)

People who teach others.

Example:Teachers help students learn new skills.

problem (n.)

A difficult situation that needs to be solved.

Example:We need to solve this problem before the deadline.

deleted (v.)

Removed from a computer or file.

Example:He deleted the old files from his laptop.

data (n.)

Facts or statistics collected for analysis.

Example:The data shows a rising trend in sales.

rules (n.)

Guidelines that people must follow.

Example:Follow the school rules to stay safe.

mistakes (n.)

Errors or wrong actions.

Example:He made a mistake when he typed the address.

ask (v.)

To request information or a favor.

Example:She asked for help with her homework.

stop (v.)

To end an action.

Example:Stop talking during the exam.

keep (v.)

To retain or hold onto something.

Example:Keep the keys in your pocket.

U.S. Congress Investigates Instructure After Repeated Cybersecurity Attacks

Introduction

The U.S. House Homeland Security Committee has asked Instructure, the company that owns the Canvas educational platform, to provide testimony. This request follows two separate cyberattacks that put the personal information of millions of users at risk.

Main Body

The security problems began on April 29, when a hacking group called ShinyHunters used a weakness in 'Free-For-Teacher' accounts to steal usernames, email addresses, and enrollment data. A second attack happened on May 7, where the hackers changed the appearance of login pages, forcing the platform into maintenance mode. The impact is significant, as the hackers claim to have targeted about 9,000 schools, which may have exposed the private data of many students. Instead of following the standard security advice from the FBI, Instructure paid the hackers to delete the stolen data. The company emphasized that this agreement worked because they received 'shred logs' as proof of deletion. However, security experts, such as Troy Hunt, have questioned if these logs are reliable. They argued that hackers often keep secret copies of data, pointing to a similar case with PowerSchool in 2024 where paying a ransom did not stop further attacks. Consequently, Representative Andrew Garbarino has started an investigation into whether Instructure worked effectively with the Cybersecurity and Infrastructure Security Agency (CISA). The committee is focusing on why the company failed to stop the hackers after the first attack and whether their overall response plan was sufficient. While Instructure has now disabled the problematic account types, the decision to pay the hackers remains a major point of debate.

Conclusion

Instructure's systems are now working normally, but the company is still being investigated by the government regarding its data protection failures and its choice to pay the ransom.

Learning

💡 The Power of "Whether"

At the A2 level, you probably use "if" for everything. Example: "I don't know if it is raining."

To reach B2, you need to master "whether." It is used when there are two clear, opposite possibilities (Yes or No / This or That). It makes your English sound more formal and precise, especially in professional or academic reports.

Look at the text:

"...an investigation into whether Instructure worked effectively..."

In this sentence, the government is asking: Did they work effectively? Yes or No? Using "whether" here shows a formal investigation of a choice or a fact.

🛠️ Leveling Up Your Vocabulary: Cause & Effect

Stop using "so" for every result. B2 speakers use connectors to link complex ideas. Look at this transition from the article:

Consequently $\rightarrow$ This is a high-level way to say "Because of this / As a result."

A2 style: The company paid the hackers, so the government is investigating. B2 style: The company paid the hackers; consequently, the government has started an investigation.

🚩 Red Flag: The "False Security" of Simple Verbs

Notice how the text describes the problem. It doesn't just say "the hackers took data." It uses precise verbs:

Exposed: To make something visible that should be hidden.
Disabled: To turn something off so it cannot be used.
Questioned: To express doubt about whether something is true.

Pro Tip: To move toward B2, replace general verbs (like get, take, put, do) with specific ones that describe the action more accurately.

Vocabulary Learning

investigation (n.)

a formal inquiry or examination into a matter

Example:The committee launched an investigation into the data breach.

cybersecurity (n.)

the practice of protecting computers, networks, and data from theft or damage

Example:Cybersecurity measures are essential for online businesses.

attacks (n.)

violent or aggressive acts against a target, often in a digital context

Example:The company faced several attacks on its servers.

platform (n.)

a software system that provides services or features to users

Example:The Canvas platform is used by many schools worldwide.

deletion (n.)

the act of removing or erasing data

Example:The deletion of the stolen files was confirmed by logs.

proof (n.)

evidence that something is true or real

Example:The logs served as proof that the data had been deleted.

reliable (adj.)

trustworthy or dependable

Example:The logs were not considered reliable by experts.

ransom (n.)

money demanded for the release of something

Example:They paid a ransom to the hackers to stop the attacks.

agency (n.)

an organization that provides a specific service

Example:The Cybersecurity and Infrastructure Security Agency works to protect national infrastructure.

response (n.)

a reaction or action taken in reply to something

Example:The company's response plan was criticized for being too slow.

plan (n.)

a detailed proposal for achieving a goal

Example:The response plan was reviewed by the committee.

failure (n.)

the lack of success or the inability to meet expectations

Example:The data protection failure led to a government investigation.

protect (v.)

to keep safe from harm or danger

Example:The company must protect user data from breaches.

decision (n.)

a conclusion or choice made after consideration

Example:The decision to pay the hackers was controversial.

debate (n.)

a discussion or argument about a topic

Example:There is a debate about whether paying ransom is effective.

Congressional Inquiry into Instructure's Response to Recurrent Cybersecurity Breaches

Introduction

The U.S. House Homeland Security Committee has requested testimony from Instructure, the parent company of the Canvas educational platform, following two distinct cyberattacks that compromised the personal data of millions of users.

Main Body

The security failures commenced on April 29, when the threat actor collective known as ShinyHunters exploited a vulnerability associated with 'Free-For-Teacher' accounts. This initial penetration facilitated the exfiltration of usernames, email addresses, course designations, and enrollment data. A subsequent breach occurred on May 7, during which the actors defaced login interfaces, necessitating a temporary transition of the platform into maintenance mode. The scale of the incident is substantial, with the perpetrators claiming to have targeted approximately 9,000 educational institutions, thereby potentially exposing the sensitive information of minors. In a departure from established cybersecurity protocols advocated by the FBI and industry specialists, Instructure entered into a financial agreement with ShinyHunters. The company asserts that this rapprochement ensured the deletion of stolen data, citing the receipt of 'shred logs' as verification. However, external analysts, including Troy Hunt, have questioned the validity of such logs, noting that the retention of clandestine copies is a common practice among ransomware collectives. This skepticism is reinforced by the precedent of the PowerSchool breach in 2024, where ransom payments failed to prevent subsequent extortion attempts. Consequently, Representative Andrew Garbarino, chair of the House Homeland Security Committee, has initiated an investigation into the adequacy of Instructure's coordination with the Cybersecurity and Infrastructure Security Agency (CISA). The committee's inquiry focuses on the company's failure to contain the threat actor after the primary intrusion and the systemic vulnerabilities inherent in the vendor's incident response capabilities. While Instructure has disabled the compromised account type and intends to conduct customer webinars, the institutional implications of its payment to the hackers remain a point of critical contention.

Conclusion

Instructure's systems are currently operational, though the company remains under legislative scrutiny regarding its data protection failures and its decision to pay a ransom.

Learning

The Architecture of Institutional Euphemism and Forensic Precision

To transition from B2 to C2, a student must move beyond 'correct' vocabulary and master Register Calibration. In this text, the bridge to C2 is found in the strategic use of Nominalization and Latinate Precision to describe chaotic events (cyberattacks) with sterile, administrative detachment.

◈ The 'Sterilization' Effect

Observe how the author avoids emotive or simplistic verbs in favor of high-level noun phrases. This is the hallmark of C2 academic and legal reporting:

B2 approach: "The hackers stole data." $\rightarrow$ C2 execution: "The exfiltration of usernames..."
B2 approach: "The company tried to make a deal with the hackers." $\rightarrow$ C2 execution: "...entered into a financial agreement... this rapprochement ensured..."

The word rapprochement is a masterstroke of register. Normally used in diplomacy to describe the restoration of friendly relations between nations, its application here to a ransomware negotiation is an example of ironic precision. It frames a desperate payment as a diplomatic maneuver, subtly highlighting the absurdity of the company's position.

◈ Lexical Nuance: The 'Skepticism' Spectrum

C2 mastery requires the ability to signal doubt without using basic adjectives like 'doubtful' or 'unlikely'.

"This skepticism is reinforced by the precedent of the PowerSchool breach..."

Here, the author utilizes The Precedent Logic. Instead of stating "this is probably a lie," the writer anchors the claim in a precedent (a prior legal or factual example). This shifts the argument from an opinion to a systemic analysis.

◈ Syntactic Density: The 'Causal Chain'

Note the construction: "...the systemic vulnerabilities inherent in the vendor's incident response capabilities."

This phrase contains four layers of modification:

Systemic (Scale)
Vulnerabilities (Core Subject)
Inherent (Qualitative state)
Incident response capabilities (Specific domain)

C2 Strategy: To replicate this, stop using relative clauses (e.g., "vulnerabilities that are part of the system") and start using adjectival clusters and compound nouns. This compresses information and increases the 'weight' of the prose, essential for legislative and high-level corporate discourse.

Vocabulary Learning

exfiltration (n.)

The act of transferring data from a computer system to an external location.

Example:The hackers' exfiltration of sensitive data went undetected for weeks.

penetration (n.)

The act of entering or gaining access to a system, often through exploitation of a vulnerability.

Example:The penetration test revealed several unpatched vulnerabilities.

defaced (v.)

To vandalize or alter a digital asset in a damaging or malicious way.

Example:The attackers defaced the login page with a malicious script.

maintenance mode (phrase)

A state in which a system is temporarily taken offline for updates or repairs.

Example:The website entered maintenance mode to apply security patches.

rapprochement (n.)

A friendly relationship or agreement between previously hostile parties.

Example:The company's rapprochement with the hackers raised ethical concerns.

clandestine (adj.)

Kept secret or hidden, especially for illicit purposes.

Example:The clandestine copies of the data were stored in an encrypted drive.

skepticism (n.)

A feeling of doubt or lack of belief in the truth or validity of something.

Example:The analysts expressed skepticism about the authenticity of the logs.

precedent (n.)

An earlier event or action that serves as an example or guide for future decisions.

Example:The PowerSchool breach set a precedent for future ransomware attacks.

incident response (n.)

The process of handling and managing a security breach or cyber incident.

Example:Their incident response plan was activated immediately after the breach.

scrutiny (n.)

Close examination or observation, often with a critical eye.

Example:The company faced intense scrutiny from lawmakers after the breach.