Instructure Canvas — ShinyHunters double-intrusion, ransom paid, US House investigation, EU/CH GDPR notification clock

On 2026-05-12, Inside Higher Ed confirmed Instructure paid the ShinyHunters ransom with a "shred logs" agreement — legally unverifiable from the victim side. A second intrusion was confirmed simultaneously, raising questions about whether remediation was complete before payment. By 2026-05-13, the US House Homeland Security Committee opened a formal investigation, with Chairman Garbarino's letter requesting a closed-door CEO briefing by 2026-05-21 covering both intrusion circumstances, data scope, IR adequacy, and CISA coordination.

As of 2026-05-18, Instructure has not confirmed whether CEO Steve Daly or a designated cybersecurity executive will comply with the 2026-05-21 Congressional deadline. Non-compliance carries no immediate legal enforcement mechanism without a formal subpoena. For CH/EU higher-education institutions (Canvas is deployed at ETH Zurich, EPFL, major EU university systems): the GDPR Art. 33/34 notification clock runs from when institutions "became aware" of the breach — the 2026-05-11 ransom disclosure may have triggered that clock for EU-hosted Canvas deployments. Swiss institutions face nFADP Art. 24 notification obligations if the breach poses high risk to data subjects.