Congress Turns Up the Heat on Canvas Parent Company
US House lawmakers are demanding accountability from Instructure, the company behind the widely used Canvas learning management system, after hackers breached its systems twice and made off with substantial amounts of student data.
The congressional inquiry signals growing frustration on Capitol Hill over how education technology companies protect the sensitive personal information of the students who use their platforms — often without any say in the matter.
What Happened
Instructure, which owns and operates Canvas — one of the most widely adopted student data platforms in North American schools and universities — suffered two separate security breaches in which hackers accessed and stole data belonging to students.
The full scope of the stolen data has not been publicly disclosed, but lawmakers are pushing the company to provide a detailed account of what was taken, how many students were affected, and what safeguards were — or weren't — in place at the time of each intrusion.
Canvas is used by thousands of schools, colleges, and universities to manage coursework, grades, assignments, and student communications. That means the platform holds a treasure trove of personally identifiable information (PII) on minors and young adults — making it an attractive target for cybercriminals.
Why Lawmakers Are Alarmed
The bipartisan concern reflects a broader anxiety about the edtech sector's track record on data security. Unlike healthcare or financial services, the education technology space has historically operated with fewer regulatory guardrails around how student data is stored, shared, and protected.
US House members are asking Instructure to explain the timeline of each breach, what types of data were compromised, whether affected students and institutions were notified in a timely fashion, and what remediation steps the company has taken since.
For many parents and educators, the fact that this happened not once but twice at the same company is particularly troubling — raising questions about whether Instructure treated the first breach as a serious wake-up call.
The Bigger Picture for Edtech
The Instructure situation is part of a larger pattern. Education institutions and the tech vendors they rely on have become frequent targets for ransomware gangs and data thieves, drawn by the combination of sensitive personal data and historically underfunded IT security budgets.
High-profile breaches at school boards and ed-tech platforms across North America have prompted calls for stricter federal standards around student data protection — including mandatory breach notification timelines, limits on data retention, and stronger penalties for companies that fail to secure student information.
For Canadian schools and universities that use Canvas — and there are many — the US congressional inquiry may foreshadow similar scrutiny from Canadian regulators. The Office of the Privacy Commissioner has been increasingly active in holding tech companies accountable under PIPEDA and provincial privacy laws when Canadian student data is caught up in cross-border incidents.
What Comes Next
Instructure has not yet publicly responded to the congressional demands. Lawmakers are expected to set a deadline for the company's reply, and the matter could escalate to formal hearings if responses are deemed insufficient.
For now, students, parents, and educators who rely on Canvas are left waiting to learn the full extent of what was exposed — and whether their own data was among the records stolen.
Source: TechCrunch
