ShinyHunters breached Instructure twice in one week. Both chambers of Congress are now investigating Canvas's vendor security posture.
ShinyHunters hit Instructure on May 1 and again on May 7, accessing usernames, email addresses, course data, enrollment information, and messages across what the attacker claims is approximately 275 million records and 8,809 institutions. These figures are attacker-supplied and unverified; a ShinyHunters representative later told TechCrunch the unique email count is closer to 231 million. By reported record count, this is the largest educational data breach on record. Both the House Homeland Security Committee and the Senate HELP Committee are investigating. This is Instructure's second breach in under a year. Every CISO conversation you have this week will be colored by it. CISOs will frame it as third-party data governance, and that framing is accurate as far as it goes. But the detail keeping vendor risk committee chairs awake is that six-day gap between intrusions, and whether the institution's HECVAT process evaluates a vendor's incident response capability between initial breach and remediation.
Rep action: Ask the CISO how the Canvas incident has changed their vendor risk review cadence, and whether their current HECVAT process covers incident response and remediation timelines between successive intrusions.
Sources: House Committee on Homeland Security press release, May 11, 2026; Senate HELP Committee letter to Instructure, May 2026, via Dark Reading; Protos Labs intelligence report, May 13, 2026. Record count figures are attacker claims, not independently verified.
Microsoft Entra has three enforcement deadlines clustering in September 2026. The first operational impact starts July 6.
| Date | Event | Impact |
|---|---|---|
| July 6 | SSPR registration campaigns begin (MC1325414) | Users prompted to register authentication methods |
| September 7 | SSPR hard cutover | Directory-synced contact info (HR phone numbers, system-populated emails) rejected unless user-registered |
| September 30 | Connect Sync versions below 2.5.79.0 stop working | Hybrid sync breaks for unpatched installations |
| September 30 | Custom Controls in Conditional Access deprecated | Full retirement early 2027 |
The SSPR enforcement is particularly dangerous at campuses where dashboard coverage looks high but is propped up by directory-synchronized phone numbers that users never confirmed. That gap between apparent coverage and actual registered coverage only becomes visible when enforcement arrives and the help desk melts.
Rep action: Ask the identity architect whether they've audited how many SSPR-eligible accounts rely on directory-synced contact attributes rather than user-registered methods, and whether their Custom Controls integration has a migration path to External MFA before September 30.
Sources: Microsoft Message Center MC1325414, May 28, 2026; Microsoft Learn, Entra Connect Sync upgrade documentation; Microsoft Learn, Conditional Access Custom Controls documentation.
Federal research funding disbursement has slowed dramatically, threatening R1 security infrastructure budgets even where Congress appropriated the money.
NIH spending is running approximately 30% below the FY2021–2024 average pace as of April 22, per Grant Witness data reported by STAT. NSF has funded roughly 613 grants this fiscal year, approximately one-fifth of the 3,000-plus it would typically fund by this point. Congress appropriated these funds and specifically blocked the proposed 15% indirect cost cap in the enacted FY2026 law. The money exists. The agencies haven't moved it. But the budget effect at R1s is the same: when awards don't flow, indirect cost recovery doesn't flow, and the infrastructure funded by indirects, including security staff and identity modernization projects, enters a re-justification cycle. A CISO who built a business case on projected indirect cost recovery may find the CFO now wants it rebuilt on a different funding basis entirely.
Rep action: Ask the CISO or CIO whether their security infrastructure budget depends on indirect cost recovery from federal awards, and whether the current disbursement slowdown has triggered project re-justification or timeline changes.
Sources: STAT News citing Grant Witness data, April 30, 2026; Granted AI citing Grant Witness, April 28, 2026; Congressional Research Service, FY2026 NIH appropriations analysis; AAU, March 20, 2026.