A significant global data breach has impacted numerous educational institutions, including universities, vocational training providers, and several state schools across Australia. This incident has raised concerns regarding the exposure of sensitive information such as names, study locations, email addresses, and private messages between users.
The response to this breach is being coordinated by the National Office of Cyber Security, which is part of the federal government. Educational organizations nationwide are currently working to assess the ramifications of the breach that has affected universities, TAFE, and public schools in at least two Australian states.
Nearly 9,000 educational entities worldwide utilize the Canvas learning management system, created by the American company Instructure, which has fallen victim to this cyber attack. Confirmed impacted institutions include state schools in Queensland and Tasmania, universities in New South Wales and South Australia, as well as TAFE in Tasmania.
Instructure acknowledged the situation on its status page over the weekend, stating that the company had “recently experienced a cybersecurity incident perpetrated by a criminal threat actor.” Steve Proud, the Chief Information Security Officer for Instructure, communicated that the company is swiftly working to grasp the full scope of the incident and is taking measures to mitigate its effects.
In an update this morning, Proud noted that the company believed it had “contained” the breach. Preliminary investigations suggest that the compromised information includes identifiable details about users at the affected institutions, such as names, email addresses, and student ID numbers, as well as messages exchanged among users. He emphasized that, so far, there is no evidence indicating that passwords, birth dates, government identifiers, or financial details were compromised. Should this change, impacted institutions will be notified promptly.
According to cybersecurity news outlet BleepingComputer, the notorious hacking group ShinyHunters has claimed responsibility for this breach. This group recently gained notoriety for breaching the developer Rockstar, known for the highly successful Grand Theft Auto video game franchise, with stolen data being released online after a ransom demand was ignored.
At this time, there is no indication that the data compromised from Canvas has been publicly disclosed.
The Queensland state government reported that tens of thousands of students and educators from state schools have been affected since 2020. Education Minister John-Paul Langbroek indicated that initial assessments suggested that up to 200 million individuals worldwide could be impacted by the breach, affecting over 9,000 educational institutions. School principals have been instructed to reach out to families affected by the incident.
Instructure is responsible for the online learning platform QLearn utilized by the Queensland Education Department. Minister Langbroek stated that the department is offering “priority support” to families known to child protection services or those with a documented history of domestic violence. School principals are actively contacting families and staff regarding the breach.
The Tasmanian Department of Education confirmed that state schools use the Canvas platform for tracking learning interactions between staff and students and has acknowledged being informed about the breach. Investigations have begun and are ongoing. The department stated that while it has been identified as affected by the cybersecurity incident, the precise impact is still under investigation by Instructure.
TasTAFE, a provider in Tasmania, announced that some of its students’ information was compromised due to the cyber attack on the Canvas platform. Chief Executive Norman Baker mentioned on ABC Hobart Mornings that hackers were reportedly demanding a ransom, and that some of the stolen data included communications between students and faculty.
A spokesperson for the New South Wales Department of Education reported that they are currently assessing whether any NSW schools have been affected. They reassured that for schools utilizing the departmental sign-on, passwords are not stored with Canvas, thus eliminating the risk of credential exposure in those cases.
The University of Melbourne has acknowledged the cyber incident and affirmed its commitment to the protection and management of personal information, working alongside the vendor to ascertain and address any potential impacts. Similarly, a representative from Flinders University in Adelaide stated that they had been informed that student and staff data within the Canvas platform “may have been impacted.”
