Chairman Cassidy, Tuberville Seek Answers on Canvas Cybersecurity Incident, Calls for More Safeguards to Protect Students

WASHINGTON - U.S. Senators Bill Cassidy, M.D. (R-LA), Chairman of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, and Tommy Tuberville (R-AL) raised concerns about the recent cybersecurity incident on Instructure, threatening the data of 275 million students, families, and teachers worldwide. The incident shut down Instructure's learning management system, Canvas, the most popular system used in the country by K-12 schools, colleges, and universities.

The incident, which occurred amidst school finals and graduation, resulted in the unauthorized disclosure of usernames, email addresses, course names, enrollment information and messages to bad actors.

"Cybersecurity threats are one of the most significant risks currently affecting the safety and security of our most sensitive information," wrote the senators. "At a time when hostile actors are increasingly using sophisticated tactics leveraging artificial intelligence, it is essential for the education technology sector to take meaningful steps to safeguard student and consumer information."

Background

As Chairman, Cassidy is leading efforts to protect Americans' private data. Earlier this Congress, the HELP Committee passed Cassidy's Health Care Cybersecurity and Resilience Act to safeguard Americans' health data. He has also investigated several cybersecurity lapses, including those by OPEXUS and UnitedHealth Group.

Read the full letter here or below:

Dear Mr. Daly:

Cybersecurity threats are one of the most significant risks currently affecting the safety and security of our most sensitive information. At a time when hostile actors are increasingly using sophisticated tactics leveraging artificial intelligence, it is essential for the education technology sector to take meaningful steps to safeguard student and consumer information.

The recent cybersecurity incident affecting Instructure and its learning management system (LMS), Canvas, highlights the impact these growing threats have on disrupting our educational system. Canvas, the most widely used LMS in the United States, is used by approximately 30 million individuals, including for course management, communication with students, and administrative functions. This disruption comes at the end of the school year, creating numerous complications around finals and end-of-year functions for students. Instructure has thus far stated that compromised "data fields involved include information like usernames, email addresses, course names, enrollment information and messages." Estimates thus far indicate that this incident has affected the data of over 275 million individuals and over 8,000 school districts, universities, and other educational stakeholders.

This is not the first time Instructure has experienced a cybersecurity incident. In fact, Instructure was previously the victim of a cybersecurity incident in 2025, and recent reporting indicates that the ongoing incident stems from two separate attacks on Instructure's systems. Additional transparency is needed regarding what information hostile actors accessed, what measures Instructure had implemented prior to the incident to protect sensitive information, and what steps the company intends to take going forward to address vulnerabilities and improve its security infrastructure.

To that end, we request answers to the following questions by May 28, 2026:

1. What security protocols, both cyber and physical, does Instructure have in place to protect against a cyberattack?
2. How does Instructure incorporate cybersecurity best practices implemented by other critical infrastructure sectors?
3. When did Instructure first become aware of a cyber incident affecting its systems?
4. When did Instructure notify federal agencies of a cyber incident, and which agencies did Instructure notify?
5. Instructure has stated that "data fields involved include information like usernames, email addresses, course names, enrollment information and messages.
6. 1. Has Instructure determined if this information contained any personally identifiable information?
   2. What steps is Instructure taking to identify any additional information that may have been accessed?=
   3. How is Instructure proactively communicating with potentially impacted individuals and entities, including the parents or guardians of potentially impacted children under age 18?
7. Many of Instructure's customers have been the victim of defacement attacks where hostile actors have publicized the list of affected schools.
8. 1. How many customers has Instructure identified as potentially affected by the cybersecurity incident?
   2. What steps has Instructure taken to support customers to regain access to Canvas or affected systems?
9. Instructure was the victim of a previous cybersecurity incident in September 2025.
10. 1. What remedial steps did Instructure take to improve its security protocols after that incident?
    2. What remedial steps has Instructure taken, or does it intend to take, to improve its security protocols in response to the ongoing incident?
11. Instructure recently stated that it "reached an agreement with the unauthorized actor involved in this incident," including the return of all exfiltrated data and the "digital confirmation of data destruction."
12. 1. What were the specific terms associated with this agreement?
    2. What data was included in this agreement?
    3. Has Instructure determined whether the hostile actor exfiltrated data not covered by this agreement?

Sincerely,

###

For all news and updates from HELP Republicans, visit ourwebsite or Twitterat @GOPHELP.