During the busiest week of the academic year, the platform that millions of students depend on for exams, grades, and graduation clearances was compromised. Hackers breached Canvas, the learning management system built by Utah-based Instructure and used by thousands of schools and universities across the country. The attackers made off with student records, and Instructure says it struck a deal to get the data back and have it destroyed. But lawmakers in both chambers of Congress are not satisfied, and cybersecurity experts say there is no reliable way to confirm the stolen information is actually gone.
Congressional pressure from both chambers
The political response came fast. Andrew R. Garbarino, Chairman of the House Homeland Security Committee, sent a letter to Instructure demanding detailed information about two separate intrusions that affected Canvas and disrupted schools and universities nationwide. His inquiry also flagged the committee’s oversight interest in how the Cybersecurity and Infrastructure Security Agency responded to the incident.
On the Senate side, HELP Committee Chairman Bill Cassidy and Senator Tommy Tuberville fired off their own letter. They called for stronger safeguards to protect students and zeroed in on the timing: the breach hit during finals and graduation, when students and faculty rely most heavily on digital platforms for exams, grade submissions, and degree conferrals. “Students deserve to know their personal information is protected,” the senators wrote, pressing Instructure for a full accounting of what went wrong.
Canvas is not a niche product. Instructure reports that its platform serves educational institutions in more than 100 countries, and it is one of the most widely adopted learning management systems in U.S. higher education and K-12 districts. A security failure at this scale does not just affect one campus. It ripples across entire state university systems, community college networks, and school districts that have built their digital infrastructure around a single vendor.
What Instructure says happened
Instructure has acknowledged the breach and says it reached an agreement with the attackers. The company told affected institutions that it received “digital confirmation via shred logs” that the stolen data had been deleted and returned. The Utah System of Higher Education issued a public notice specifying that compromised information included names, email addresses, student IDs, and messages exchanged within the platform.
Instructure also told institutions that passwords, dates of birth, government-issued IDs, and financial information were not believed to be part of the compromised data set. USHE confirmed it had notified state entities including Utah Cybersecurity as part of its response.
The figure of 275 million affected student records has circulated widely in coverage of the breach. However, no primary document in the public record pins down that number with methodological detail. Institutional notices like USHE’s describe categories of compromised data rather than a total count of affected individuals. Whether the figure reflects unique user records, cumulative account entries across institutions, or some other metric has not been clarified by Instructure in any public filing reviewed for this report.
Why the deletion claim faces skepticism
The central unresolved question is whether the stolen data was actually destroyed. Instructure itself acknowledged, according to AP reporting, that there is no way to be certain the data was erased for good.
Cybersecurity professionals quoted in the same reporting expressed skepticism, and for good reason. Digital files can be copied before they are handed back. “Shred logs” are records generated by the party doing the deleting, which means Instructure is relying on the attackers’ own documentation as proof of compliance. In the cybersecurity field, data deletion by hostile actors is considered inherently unverifiable. The deal may reduce risk, but it does not eliminate it.
The terms of the agreement, including whether any payment changed hands, remain undisclosed. Instructure has not released the deal or allowed independent verification of the shred logs. Both congressional committees have set expectations for detailed replies, but as of late May 2026, no company response has been made public.
Technical details about the two intrusions referenced by Chairman Garbarino are also missing from the public record. Whether the attacks exploited the same vulnerability or involved separate threat actors operating on different timelines has not been addressed in any official statement. Without that information, individual schools and universities cannot fully assess their own exposure or take targeted defensive steps.
Who is exposed and what they should do
For students, parents, and administrators trying to gauge their risk right now, the practical reality is this: basic contact and identifier information may have been accessed and possibly copied. Names, institutional email addresses, student ID numbers, and internal messages are enough to fuel convincing phishing campaigns, especially when timed around grade releases or financial aid deadlines.
Students should watch for unsolicited emails or texts that reference specific classes, instructors, or recent assignments. Even though passwords were not believed to be directly compromised, attackers can use contextual details from stolen messages to trick users into handing over login credentials. Institutions can blunt this risk by issuing clear guidance on how official communications will be sent and by pushing multifactor authentication across all campus systems.
Faculty and staff face similar exposure. Messages between instructors and students often contain details about schedules, accommodations, and grades that could be used to impersonate faculty members or pressure students into sharing additional information.
For campus IT departments, the breach is a concrete prompt to review how Canvas integrates with identity providers and student information systems. Single sign-on connections and data synchronization processes should be re-examined for least-privilege access and logging. Institutions may also want to revisit vendor contracts to clarify incident response timelines, notification obligations, and requirements for independent security assessments.
Parents and guardians in K-12 settings should be alert to unusual emails that appear to come from schools, particularly any requesting payment information or login credentials. Current disclosures suggest financial data was not part of the compromised set, but attackers routinely pivot from one dataset to another by exploiting trust.
Where the investigation goes from here
The next concrete developments will likely come from Instructure’s formal responses to Congress. Any written reply submitted through the Senate’s public portal or to House investigators could reveal the technical details of the intrusions, a verified count of affected users, and the company’s rationale for trusting documentation supplied by the very people who broke into its systems.
Lawmakers may also hold hearings or request briefings from federal agencies involved in the response. The House Homeland Security Committee has already signaled interest in the role of federal cyber defenders, and the Senate HELP Committee has framed the breach as part of a broader conversation about student privacy and the security of digital infrastructure in education. Depending on what surfaces, both panels could push new reporting requirements for ed-tech vendors or direct additional funding toward school cybersecurity programs.
Visibility into how many institutions beyond Utah were directly affected remains limited. Canvas is embedded in K-12 districts, community colleges, and research universities across the country, but only a handful have issued public notices so far. That gap may reflect ongoing internal investigations or varying state disclosure laws rather than a lack of impact. Whether state attorneys general open their own inquiries could further shape the scope of accountability.
Until independent verification emerges, students and institutions are left operating under an uncomfortable assumption: that some portion of the stolen data may still be out there, regardless of what the hackers promised to delete. The congressional letters have put Instructure on a public clock. What the company says next, and what it can actually prove, will determine whether this breach becomes a turning point for ed-tech security or another incident that fades without structural change.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
