A significant privacy breach has impacted thousands of schools and universities across Australia, leading to the exposure of private and sensitive data belonging to millions of teachers and students.
The cybersecurity incident involves third-party provider Instructure, which operates online learning platforms such as Canvas and QLearn for educational institutions throughout Australia.
Queensland's Education Minister, John-Paul Langbroek, confirmed that the data breach also affects international institutions.
Global impact
"This incident has impacted thousands of educational institutions, including state schools and universities within Queensland, across Australia and overseas, and early advice is this will impact more than 200 million people and more than 9,000 institutions worldwide," he stated.
Langbroek noted that early indications suggest both students and staff associated with Education Queensland and using QLearn have been affected. The online system was introduced by the previous government in 2020.
"Advice at this stage is names, email addresses and school locations have been compromised in the international data breach," Langbroek said.
"There is no evidence of passwords, dates of birth or financial information being accessed in the data breach."
School principals are currently contacting families and teachers to inform them about the breach.
"The Department of Education is providing priority support to families and teachers with known family and domestic violence, or those known to Child Safety," he added.
"The Department of Education will continue to update Queenslanders as further information is available."
Universities affected
University of Technology Sydney (UTS) deputy vice-chancellor Kylie Readman stated that the institution is seeking clarification on whether its students' information has been leaked.
"We are working with the vendor, Instructure, to confirm whether UTS data has been compromised as part of this incident and to fully understand potential impacts if a breach has occurred," she said.
"We are also working with relevant Australian authorities."
On Monday, Royal Melbourne Institute of Technology (RMIT) also indicated it may have been impacted.
"RMIT has been notified of a cyber incident impacting the Canvas learning management system," the university said.
"Canvas is a learning platform used by many universities across the world, including RMIT.
"We are working with the vendor to confirm if RMIT data has been involved and understand any impacts as a result of this breach."
TasTAFE in Tasmania reported a data breach in a statement on Thursday.
"Instructure took immediate action to address the incident and has engaged external cyber security and forensic specialists," the statement read.
"On May 6, Instructure advised that a criminal third party has accessed data associated with some customer accounts, including TasTAFE.
"This incident relates to Instructure's systems and was not the result of a breach of TasTAFE's own systems or processes. Investigations commenced immediately and are ongoing."
The TAFE said, based on current advice, the data involved in the breach may include some personal information, including content stored within Canvas such as messages.
"At this stage, Instructure has not provided TasTAFE with information identifying specific individuals affected," it said.
"There is no indication that passwords, dates of birth, government identifiers, or financial information were involved."
Western Sydney University and Flinders University in Adelaide have also reportedly been impacted, with dozens more institutions using Canvas yet to confirm any breaches.
More details to come.
