Queensland’s Education Minister, John-Paul Langbroek, has confirmed that the state’s schools have been impacted by a cyber security incident involving a third-party provider that supports the state’s QLearn online education platform.
“This morning, I have been briefed by the Department of Education about an international cyber security breach involving a third-party provider, Instructure, which delivers the department’s online learning platform, QLearn,” Langbroek said in a 7 May statement.
“This incident has impacted thousands of educational institutions, including state schools and universities within Queensland, across Australia and overseas, and early advice is this will impact more than 200 million people and more than 9,000 institutions worldwide.”
According to the minister, the breach impacts the staff and students of “Education Queensland schools since 2020”, which was when the online platform was first established.
“Advice at this stage is names, email addresses, and school locations have been compromised in the international data breach. No evidence of passwords, dates of birth, or financial information being accessed in the data breach,” Langbroek said.
“School principals are in the process of contacting families and teachers to advise them of the breach.”
Langbroek said the Department of Education was providing particular support to “families and teachers with known family and domestic violence”.
As of February 2026, more than 560,000 students were enrolled in public schools across the state.
What happened?
Cloud-based educational firm Instructure confirmed last week that it was investigating a cyber attack on its Canvas platform, later confirming that a breach had in fact occurred.
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” the company said in a statement.
“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.”
While Instructure confirmed the breach, the ShinyHunters cyber extortion group claimed responsibility, with the hackers saying they had compromised more than 200 million students and staff.
“Nearly 9,000 schools worldwide affected. 275 million individuals’ data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII,” ShinyHunters said in a 3 May post to its darknet leak site.
“Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.”
Several universities in the United States issued statements regarding the impact of the Instructure breach on their campuses, including the University of Colorado Boulder, Rutgers University, and Tilburg University.
“An investigation is currently underway to determine what exactly happened and which systems were affected. It has not yet been confirmed whether data of Tilburg University students and staff has been impacted. Further questions have been submitted to the supplier to obtain more clarity,” Tilburg University said in a 6 May statement.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.