Global Canvas breach hits Australian schools and universities; student data believed exposed

A global breach of the Canvas learning platform has swept up Australian education providers, with state schools in Queensland and Tasmania, universities in NSW and South Australia, and TAFE in Tasmania among those affected. Names, locations of study, email addresses and messages between users are among details believed to have been compromised, and the federal National Office of Cyber Security is coordinating the response.

Canvas, developed by US company Instructure, is used by almost 9,000 institutions worldwide. In a post to its customer status page, Instructure said it had “recently experienced a cybersecurity incident perpetrated by a criminal threat actor.” Chief information security officer Steve Proud said the company believed it had “contained” the incident and was working to understand its extent.

“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” he wrote.

Australia’s National Cyber Security Coordinator, Michelle McGuinness, said her team was coordinating efforts to determine what Australian data may be impacted. “We are in the early stages of assessing the impacts, and I will share further updates as we gain a better understanding of the incident,” she said, advising anyone who thinks they may be affected not to respond to unsolicited contact.

The Queensland government said tens of thousands of students and teachers at state schools since 2020 were among those affected. Education minister John‑Paul Langbroek said early advice suggested more than 200 million people could be impacted worldwide across more than 9,000 schools, universities and other institutions, and that principals would contact affected families.

Instructure provides the Queensland Education Department’s QLearn online learning platform. Langbroek said the department was providing priority support to families known to child safety authorities or with a history of domestic and family violence, and that principals were contacting families and teachers about the breach.

Queensland Teachers’ Union president Cresta Richardson called for a thorough investigation into how the breach occurred and how similar incidents could be prevented, describing the incident as a serious security failure likely to cause significant concern among members, students and school communities.

Cybersecurity industry website BleepingComputer reported that the hacking group ShinyHunters had claimed responsibility for the breach. The group also recently claimed responsibility for hacking developer Rockstar, the maker of the Grand Theft Auto franchise; data from that breach was released online after a ransom was not paid.

It is understood the compromised Canvas data has not been publicly released at this stage. Instructure’s investigation is continuing, and federal authorities said they would provide further updates as the assessment of impacts progresses.