Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Lawmakers in the US House of Representatives are asking representatives of Instructure, the education software maker that was hacked twice, to testify about the company’s response to cyberattacks that allowed hackers to steal the personal data of millions of students around the world.
The House Homeland Security Committee is investigating hacks and data breaches, as it has jurisdiction over government activities related to homeland security, said Committee Chairman Rep. Andrew Garbarino. message To mentor CEO Steve Daly. The US cybersecurity agency CISA was called in to assist in the incident.
The committee is seeking Daly’s testimony to address it How hackers repeatedly break into Instructure’s systems And to reveal the types of data that was taken, Garbarino said in the letter, which cites TechCrunch reporting. The letter also says lawmakers want to know how the company responded to attacks and notified affected schools and are seeking to examine the adequacy of its coordination with CISA.
Instructure, which makes popular school information portal software Canvas, has faced criticism for its response to the attacks, especially after it admitted that hackers had abused the same vulnerability to steal troves of sensitive student data and then… Defacing school login pages.
The company confirmed this this week You have “made an agreement” with the hackers They claimed that the hackers provided evidence that they deleted the stolen data. A representative for the ShinyHunters hackers told TechCrunch that they would not continue to extort the company or its customers, but declined to specify how much the company paid in ransom.
Security experts have long argued that paying hackers only goes to fund future attacks. They are known to be hackers Retain stolen data Even after they claim to delete it, often in the hope of blackmailing victims again.
The second breach by the same hackers raises “serious questions about the company’s incident response capabilities and its obligations to the organizations and individuals whose data it holds,” Garbarino said.
“The scale and timing of the Instructure breach, and the apparent inability of a major educational technology vendor to contain the threat actor after the initial intrusion, are precisely the type of systemic vulnerabilities this committee has a responsibility to examine,” Garbarino wrote in the letter.
Instructure has not yet said whether it will respond to the letter, or whether Daly — or anyone responsible for cybersecurity at the company — will testify.
Instructure spokesman Brian Watkins did not respond to TechCrunch’s request for comment on Wednesday.
When you make a purchase through the links in our articles, We may earn a small commission. This does not affect our editorial independence.