Australian universities and TAFEs are rushing to assess their exposure after a breach of Instructure’s Canvas learning management system (LMS) compromised the personal data of up to 275 million students at over 9,000 institutions worldwide.
Instructure confirmed on 1 May that the company had suffered a “cybersecurity incident perpetrated a criminal threat actor”, and that it had engaged outside experts to understand the extent of the incident.
Those investigations revealed that the breached data included “certain identifying information of users” including names, email addresses and student IT numbers, as well as messages sent between users of their institutions’ Canvas implementations.
The company said it had “found no evidence” of compromised passwords, dates of birth, government identifiers, or financial information, and had undertaken a range of remedial actions including system patches and revoking privileged credentials.
Responsibility for the breach has been claimed by high-profile extortion gang ShinyHunters, a group known for targeting major companies and whose other recent victims include Ticketmaster, AT&T and Pizza Hut, Adidas, Qantas, and Pandora.
The group, which published notice of the compromise on its breach site, claimed the stolen 3.65 terabytes of data related to 275 million students, teachers, and other staff as well as “several billions of private messages among students and teachers.”
Publication BleepingComputer said ShinyHunters had shared a full list of 8,809 affected institutions, each of which had between tens of thousands and several million records compromised, while HackRead corroborated the “massive” size of the list.
Weighing the local impact
Canvas dominates the North American LMS market – with 43 per cent market share and over 12 million enrolments – and it has a strong user base across Australia and New Zealand, where unis moved nearly all teaching online during the COVID-19 pandemic.
Instructure also has many corporate users of Canvas, which use the platform to deliver professional development courses for compliance, governance, and staff certifications; there is no indication yet, however, whether companies are among those breached.
Extortion group ShinyHunters claims to have personal data on 275 million students and staff. Source: Security Affairs
Local institutions moved quickly to notify students and staff of the Canvas breach – not to be confused with Australian design platform Canva, which is also widely popular amongst schools and universities worldwide and was hacked in 2019.
The University of Technology Sydney (UTS), for one, said its Canvas LMS is “currently operating as normal” and that students should continue using the platform as usual, but beware scam emails about the breach or asking them to sign in or reset a password.
TasTAFE said there is “no indication that passwords, dates of birth, government identifiers, or financial information were involved” and that there is “no impact to ongoing TasTAFE learning delivery” even as it works with Instructure for more clarity.
Melbourne’s RMIT University reported that it is “working with the vendor to confirm if RMIT data has been involved” while the University of Newcastle, The University of Adelaide and Flinders University have also reportedly moved to reassure students.
New Zealand’s Victoria University and Auckland University of Technology were also impacted but similarly called for calm to reassure potentially impacted students.
The University of Auckland warned that subsequent phishing attacks, fine-tuned using the stolen data, are “the most likely consequence” of the breach and advised students to be wary of unexpected messages asking for personal information or actions.
Tasmanian school students may also have been affected, with the state Department for Education, Children and Young People (DECYP) reporting that it “has been identified as being impacted” but “has not been informed if any Tasmanian data has been obtained”.
Queensland Education Minister John-Paul Langbroek said the state’s QLearn platform was affected, while the NSW Department of Education, and WA Department of Education use Canvas for teaching and professional development.
So does the Victoria Department of Education – which is still recovering from a major breach in January – while Instructure also counts Australian Catholic University, Brisbane Grammar, Sacred Heart College Geelong, and Mentone Grammar as users.
Sitting ducks for major breaches
The breach is a word of warning for schools and universities whose networks have often typically built as “Swiss cheese by design”.
Indeed, educational institutions have long been the most targeted industry worldwide, copping an average 4,356 attacks per organisation each week last year.
Last year, a 19-year-old uni student was sentenced to four years in prison and $19.5 million ($US14.1 million) in restitution after he stole data on 60 million students and 10 million teachers by hacking primary and high school software provider PowerSchool.
And in December, consumer agency the US Federal Trade Commission (FTC) dropped the hammer on LMS firm Illuminate which was breached in 2021 but waited two years to share the news.
Australia’s Office of the Information Commissioner (OAIC) received 38 data breach notifications from educational institutions during the first half of 2025 – up 27 per cent on the preceding half-year – with 17 per cent of those blamed on malicious attacks.
That included three hacking incidents and one ransomware attack, with one incident blamed on a rogue employee or insider threat.
Education breaches were discovered faster than in any other industry, with 68 per cent of breaches identified within 10 days and 13 per cent taking over a month to be identified.
