UPDATE: Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom

UPDATE (originally covered 2026-05-12): Late on 2026-05-11, US House Homeland Security Committee Chairman Andrew Garbarino sent a formal letter to Instructure CEO Steve Daly ahead of the 2026-05-12 ShinyHunters extortion deadline, demanding a briefing by 2026-05-21 on the circumstances of both Canvas intrusions, the volume of data accessed, containment measures, and coordination with federal law enforcement and CISA (The Record, 2026-05-12; The Register, 2026-05-12).

On 2026-05-12 — before the deadline expired — Instructure confirmed it had "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" from ShinyHunters, the operational reliability of which the committee letter explicitly questions. ShinyHunters claims the agreement covers up to 275 million records across roughly 8,800 colleges, universities and K-12 schools (per The Register; The Record cites ~9,000 institutions), including Dutch and Swedish higher-education customers previously confirmed in scope. The second Canvas intrusion is attributed to ShinyHunters exploiting an unpatched flaw in Instructure's "Free-for-Teacher" environment; the initial 2026-04-29 intrusion yielded ~3.6 TB of uncompressed data (usernames, emails, course names, messages). CrowdStrike was retained for forensic analysis.

Defender takeaway: a vendor-side "shred log" is legally non-binding and technically unverifiable; EU institutions must continue to treat the 275M-record dataset as irrevocably compromised for GDPR Art. 33 / data-subject-rights purposes regardless of Instructure's bulk-platform claim. The congressional investigation will likely prompt CISA guidance for higher-education SaaS incident response — relevant context for Swiss universities and EU edtech procurement teams.