Members of the U.S. House of Representatives are calling on representatives of twice-hacked education software maker Instructure to testify about the company’s response to a cyberattack in which hackers stole the personal data of millions of students around the world.
The House Homeland Security Committee, which has jurisdiction over government activities related to homeland security, investigates hacks and data breaches, the committee’s chairman, Rep. Andrew Garbarino, said in a letter to Instruct CEO Steve Daley. The US cybersecurity agency CISA was called in to assist in the case.
In a letter cited by TechCrunch, Garbarino said the commission is seeking testimony from Daly to determine how the hackers repeatedly penetrated Infrastructure’s systems and what type of data was stolen. The letter also says lawmakers want to learn how the company is responding to the attack, notify affected schools, and investigate whether it is appropriate to work with CISA.
Instructor, which makes the popular school information portal software Canvas, has come under fire for its response to the attack, particularly after hackers admitted to exploiting the same vulnerability to steal large amounts of sensitive student data and deface school login pages.
The company confirmed this week that it had “reached an agreement” with the hackers and claimed it had provided proof that the hackers had deleted the data they had stolen. A representative for the ShinyHunters hackers told TechCrunch that they have no intention of continuing to extort the company or its customers, but declined to say how much the company paid in ransom.
Security experts have long argued that paying hackers only funds future attacks. Hackers are known to keep stolen data even after they claim to have deleted it, often hoping to extort the victim again.
Garbarino said the second breach by the same hacker raises “serious questions about the company’s ability to respond to incidents and its obligations to the institutions and individuals that hold its data.”
“The scale and timing of the infrastructure breach, and the inability of major education technology vendors to contain the attackers after the initial breach, are precisely the types of systemic vulnerabilities that this committee is responsible for investigating,” Garbarino wrote in the letter.
Instructure has not yet said whether it will respond to the letter or whether Daly or its cybersecurity chief will testify.
Instructure spokesperson Brian Watkins did not respond to TechCrunch’s request for comment Wednesday.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
