Hundreds of thousands of Victorian students are at increased risk of identity theft after a Victorian Department of Education (DoE) data breach saw the compromise of the personal details from the state’s 1,575 government schools.
An “external third party” breached a department database and accessed a school network before taking the data, the DoE said on Wednesday, noting in a statement that it had “identified the point of the breach and have put safeguards in place.”
This included temporarily disabling systems to prevent the accessing of any additional data about the state’s more than 665,000 students.
Department notifications revealed the compromised data included student names, email addresses, school names, year level, and encrypted copies of their passwords – but did not include personal data such as students’ dates of birth, phone numbers, or home addresses.
There is no indication whether cybercriminals have demanded a ransom to prevent the information’s publication, although the department said “there is no evidence to suggest that the data accessed has been released publicly or shared with other third parties.”
Reports suggest schools are taking proactive action to protect student access, including resetting passwords in the runup to the new school year.
The DoE said it was working with outside experts to investigate the incident, and helping schools to “ensure this does not disrupt students when they start the 2026 school year” on 28 January.
Long-tail impact could be significant
Coming just a day after school-leavers got the latest round of university offers, the breach will trouble a community that – thanks to the federal government’s social media minimum age (SMMA) laws – is acutely aware of the need to manage students’ exposure.
Victoria’s DoE has not revealed the number of current and previous students compromised, but the breach’s potential magnitude could put it among the worst such incidents – with the Office of the Australian Information Commissioner (OAIC) informed of just six breaches affecting over 100,000 people in its latest half-yearly figures.
Even if the data from the Victorian DoE breach is not published publicly, it still has considerable potential value to cybercriminals.
That’s because as they progress through school and beyond, today’s students will become bank account holders, credit card holders, car drivers and buyers, and home buyers – creating a baseline dataset that cybercriminals will steadily build on.
Over time, cross-referencing personal details with data from other breaches will fill out criminals’ profiles of the students, providing increasingly comprehensive data that could eventually expose compromised students to identity theft and carefully engineered scams.
Are cybercriminals losing interest in education?
Recent breaches of educational institutions such as Western Sydney University, Deakin University, the University of Sydney, and the University of Tasmania have kept universities on, and government schools have suffered their own attacks over the years.
The New South Wales Department of Education, for example, suffered a cyberattack in 2021 while allegations of unapproved collection of biometric data caused a storm in 2025 and privacy advocates are concerned about the security implications of a recently launched Digital Hub.
Yet recent OAIC figures suggest many cybercriminals have turned their attention to government, health, finance, and professional organisations, which are better resourced and more likely to pay ransoms to prevent the release of data.
Private schools, which may be seen as better funded, have been regular targets – with Haileybury College, Scotch College, Belmont Christian College, Waverley Christian College, Mount Lilydale Mercy College and Loreto Mandeville Hall Toorak among the latest victims.
The OAIC was notified of just six cases of malicious or criminal attack on educational institutions in the first half of 2025 – a fraction of the 48 financial services, 42 healthcare, 32 government, and 32 professional services incidents reported.
It is also well down from the 14 malicious or criminal attacks recorded on educational institutions during the same period a year earlier.
