Tuberville Calls for Greater Safeguards to Protect Students’ Privacy

WASHINGTON - Today, U.S. Senator Tommy Tuberville (R-AL), Chairman of the Subcommittee on Education and the American Family, and U.S. Senator Bill Cassidy (R-LA), Chairman of the Senate Health, Education, Labor, and Pensions Committee, sent a letter to Steve Daly, CEO of Instructure, about their concerns over the recent cybersecurity incident on Instructure, threatening the data of 275 million students, families, and teachers worldwide. The incident shut down Instructure's learning management system, Canvas, the most popular system used in the country by K-12 schools, colleges, and universities.

The incident, which occurred amidst finals and graduation, resulted in the unauthorized disclosure of usernames, email addresses, course names, enrollment information, and messages to bad actors.

"Cybersecurity threats are one of the most significant risks currently affecting the safety and security of our most sensitive information," wrote the senators. "At a time when hostile actors are increasingly using sophisticated tactics leveraging artificial intelligence, it is essential for the education technology sector to take meaningful steps to safeguard student and consumer information."

Read the full letter below or here.

"Dear Mr. Daly:

Cybersecurity threats are one of the most significant risks currently affecting the safety and security of our most sensitive information. At a time when hostile actors are increasingly using sophisticated tactics leveraging artificial intelligence, it is essential for the education technology sector to take meaningful steps to safeguard student and consumer information.

The recent cybersecurity incident affecting Instructure and its learning management system (LMS), Canvas, highlights the impact these growing threats have on disrupting our educational system Canvas, the most widely used LMS in the United States, is used by approximately 30 million individuals, including for course management, communication with students, and administrative functions. This disruption comes at the end of the school year, creating numerous complications around finals and end-of-year functions for students. Instructure has thus far stated that compromised "data fields involved include information like usernames, email addresses, course names, enrollment information and messages." Estimates thus far indicate that this incident has affected the data of over 275 million individuals and over 8,000 school districts, universities, and other educational stakeholders.

This is not the first time Instructure has experienced a cybersecurity incident. In fact, Instructure was previously the victim of a cybersecurity incident in 2025, and recent reporting indicates that the ongoing incident stems from two separate attacks on Instructure's systems. Additional transparency is needed regarding what information hostile actors accessed, what measures Instructure had implemented prior to the incident to protect sensitive information, and what steps the company intends to take going forward to address vulnerabilities and improve its security infrastructure.

To that end, we request answers to the following questions by May 28, 2026:

• What security protocols, both cyber and physical, does Instructure have in place to protect against a cyberattack?

• How does Instructure incorporate cybersecurity best practices implemented by other critical infrastructure sectors?

• When did Instructure first become aware of a cyber incident affecting its systems?

• When did Instructure notify federal agencies of a cyber incident, and which agencies did Instructure notify?

• Instructure has stated that "data fields involved include information like usernames, email addresses, course names, enrollment information and messages.
  • Has Instructure determined if this information contained any personally identifiable information?
  • What steps is Instructure taking to identify any additional information that may have been accessed?
  • How is Instructure proactively communicating with potentially impacted individuals and entities, including the parents or guardians of potentially impacted children under age 18?

• Many of Instructure's customers have been the victim of defacement attacks where hostile actors have publicized the list of affected schools.
  • How many customers has Instructure identified as potentially affected by the cybersecurity incident?
  • What steps has Instructure taken to support customers to regain access to Canvas or affected systems?

• Instructure was the victim of a previous cybersecurity incident in September 2025.
  • What remedial steps did Instructure take to improve its security protocols after that incident?
  • What remedial steps has Instructure taken, or does it intend to take, to improve its security protocols in response to the ongoing incident?

• Instructure recently stated that it "reached an agreement with the unauthorized actor involved in this incident," including the return of all exfiltrated data and the "digital confirmation of data destruction."
  • What were the specific terms associated with this agreement?
  • What data was included in this agreement?
  • Has Instructure determined whether the hostile actor exfiltrated data not covered by this agreement?

Sincerely,"

Senator Tommy Tuberville represents Alabama in the United States Senate and is a member of the Senate Armed Services, Agriculture, Veterans' Affairs, HELP and Aging Committees.

###