NSW Department of Education Investigates Instructure Canvas Data Breach Impacting Thousands of Students and Staff
The New South Wales Department of Education is currently investigating the ramifications of a significant data breach involving Instructure’s Canvas platform, which has already affected students and staff in Queensland. This incident raises serious concerns about the security of educational data and the vulnerabilities that third-party platforms pose to the education sector.
A spokesperson for the NSW Department of Education confirmed awareness of the breach, stating, “The department is aware of the publicly reported data breach affecting Instructure’s Canvas platform.” The department is actively collaborating with Instructure to determine whether any schools in New South Wales have been impacted and to assess the nature of any compromised data. Notably, schools utilizing the departmental sign-on do not store their passwords with Canvas, mitigating the risk of credential exposure in those instances.
Many schools in New South Wales procure the Canvas platform directly from Instructure, and the department has pledged support for any affected institutions. The breach was first acknowledged publicly on May 7, when the Queensland education minister confirmed that Education Queensland schools had been impacted by the incident. According to John-Paul Langbroek, “Advice at this stage is names, email addresses, and school locations have been compromised in the international data breach. No evidence of passwords, dates of birth, or financial information being accessed in the data breach.” School principals are currently reaching out to families and teachers to inform them about the breach.
The incident has been attributed to the ShinyHunters cyber extortion group, which claims to have compromised millions of students and staff globally, affecting thousands of schools. The hackers assert that they have stolen over 3.6 terabytes of data, raising alarms about the scale and implications of the breach.
National Response and Ongoing Investigations
Lieutenant General Michelle McGuinness, Australia’s national cyber security coordinator, has indicated that efforts are underway to ascertain the full scope of the breach. “We are in the early stages of assessing the impacts, and I will share further updates as we gain a better understanding of the incident,” she stated. McGuinness also advised individuals who believe they may be affected to refrain from responding to unsolicited communications.
Tasmania’s Department of Education has also initiated an investigation into the incident. A department spokesperson noted, “Investigations commenced immediately and are ongoing. At this stage, while DECYP has been identified as being impacted by the cyber security incident, the specific impact of the incident is subject to further investigation by Instructure.”
In addition, the University of Technology Sydney and the University of Sydney are working to formulate a response. A spokesperson from the University of Sydney remarked, “If a breach of personal data has occurred, we will notify affected individuals and work closely with the National Office of Cyber Security to manage the impact of the incident.” The university is among approximately 9,000 educational institutions worldwide that may be affected.
The Growing Threat Landscape in Education
Kash Sharma, managing director for ANZ at cybersecurity firm BlueVoyant, emphasized that incidents like the Instructure breach highlight the increasing attractiveness of educational institutions as targets for cybercriminals. Earlier this year, over 1,700 Victorian government schools were similarly affected, exposing sensitive student records just as families were preparing for the new school year.
Sharma noted, “These incidents underscore a growing reality: education systems are no longer defending only their own networks, but also the expanding ecosystem of external vendors, platforms, and service providers connected to them.” The breadth of the attack surface in the education sector is concerning. Third-party providers like Instructure, along with cloud services and the adoption of online learning tools, contribute to the vulnerabilities faced by educational institutions.
For education leaders, the management of third-party risk can no longer be viewed merely as a procurement or compliance issue. “Institutional resilience now depends on the security posture of every connected vendor,” Sharma stated. Effective third-party risk management necessitates continuous oversight throughout the vendor lifecycle, from due diligence and onboarding to ongoing monitoring, auditing, and incident response.
Sharma emphasized the need for educational institutions to move beyond static assessments, advocating for continuous visibility into vendor activity, security controls, and emerging threats. “Without this shift, the rapid digitization of education will continue to outpace the sector’s ability to secure it.”
Update on the Situation
As of May 7, the NSW Department of Education issued a follow-up statement at 5:17 PM. The department confirmed that it has reached out to schools utilizing the Canvas platform and is collaborating with Instructure to ascertain whether any data has been compromised. The department assesses the risk of a breach involving sensitive information to be low and has advised schools to reset passwords as a precautionary measure. It is noteworthy that only 45 schools in New South Wales utilize the Canvas platform, and no sensitive personal information, such as birthdates, is recorded within it.
The ongoing investigations and responses from various educational institutions underscore the critical importance of cybersecurity in the education sector. As the landscape evolves, the need for robust security measures and proactive risk management strategies becomes increasingly paramount.
Source: www.cyberdaily.au
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
