Thousands of educational institutions worldwide, including Australian universities, TAFEs, and state schools, have been affected by a global data breach targeting the Canvas learning management system. The hack, perpetrated by a criminal threat actor, has compromised names, email addresses, student ID numbers, and messages between users.
Instructure, the American company behind Canvas, confirmed the cybersecurity incident on its status page over the weekend. Chief Information Security Officer Steve Proud stated that the company believes it has contained the breach and is working to understand its extent. The notorious hacking group ShinyHunters has claimed responsibility.
In Australia, affected institutions include state schools in Queensland and Tasmania, universities in New South Wales and South Australia, and TasTAFE. The federal government's National Office of Cyber Security is coordinating a response. National Cyber Security Coordinator Michelle McGuinness urged those potentially impacted not to respond to unsolicited contact.
Queensland Education Minister John-Paul Langbroek said early advice suggests over 200 million people could be impacted globally, across more than 9,000 institutions. Queensland's Department of Education is providing priority support to vulnerable families. The Queensland Teachers' Union has called for a thorough investigation into the breach.
Tasmania's Department of Education confirmed state schools using Canvas have been notified, and investigations are ongoing. TasTAFE also revealed some students were affected. The compromised data has not been publicly released at this stage.



