The NSW Department of Education is investigating the impact of a third-party data breach that has already compromised school students and staff in Queensland.
“The department is aware of the publicly reported data breach affecting Instructure’s Canvas platform,” a department spokesman told Cyber Daily.
“The department is working with Instructure to establish if any NSW schools have been impacted and the nature of any data involved.
“Schools using the departmental sign-on do not have their passwords stored with Canvas, so there is no risk of credential exposure in those cases.”
Cyber Daily understands that many schools in NSW procure the Canvas platform directly from Instructure, while the department has said any schools impacted by the breach will be supported.
The Queensland education minister confirmed today, 7 May, that Education Queensland schools were impacted by the Instructure incident, which first came to light late last week.
“Advice at this stage is names, email addresses, and school locations have been compromised in the international data breach. No evidence of passwords, dates of birth, or financial information being accessed in the data breach,” John-Paul Langbroek said earlier today.
“School principals are in the process of contacting families and teachers to advise them of the breach.”
The ShinyHunters cyber extortion group is behind the incident and is claiming to have compromised millions of students and staff globally, and thousands of schools. In total, the hackers claim to have stolen more than 3.6 terabytes of data.
National response
Lieutenant General Michelle McGuinness, Australia’s national cyber security coordinator, said in a post to LinkedIn that she was actively working to establish the scope of the breach.
“We are in the early stages of assessing the impacts, and I will share further updates as we gain a better understanding of the incident,” LTGEN McGuinness said.
“If you think you may be impacted by this breach, the best way you can protect yourself is to not respond to unsolicited contact.”
Tasmania’s Department of Education is also investigating the incident.
“Investigations commenced immediately and are ongoing. At this stage, while DECYP has been identified as being impacted by the cyber security incident, the specific impact of the incident is subject to further investigation by Instructure,” a department spokesperson said in a statement.
The University of Technology Sydney and the University of Sydney are also working on a response.
“If a breach of personal data has occurred, we will notify affected individuals and work closely with the National Office of Cyber Security to manage the impact of the incident,” a USyd spokesperson said.
“The university is one of approximately 9,000 educational institutions worldwide that is potentially impacted.”
Why education?
Kash Sharma, managing director, ANZ, at cyber security firm BlueVoyant, said that breaches such as Instructure’s show that “schools are becoming an increasingly attractive target for cyber criminals”.
“Earlier this year, more than 1,700 Victorian government schools were similarly affected, exposing sensitive student records just as families prepared for the new school year,” Sharma told Cyber Daily.
“These incidents underscore a growing reality: education systems are no longer defending only their own networks, but also the expanding ecosystem of external vendors, platforms, and service providers connected to them.”
The issue is the sheer scope of the attack surface in the education sector. Not only are third-party providers such as Instructure driving attacks, but so are cloud services more generally, the adoption of online learning tools, and growing amounts of personal data held on aging school networks.
“For education leaders, third-party risk can no longer be treated as a procurement or compliance exercise. Institutional resilience now depends on the security posture of every connected vendor,” Sharma said.
“Effective third-party risk management requires continuous oversight across the full vendor life cycle – from due diligence and onboarding through to ongoing monitoring, auditing, and incident response. Schools and education departments must move beyond static assessments and establish continuous visibility into vendor activity, security controls, and emerging threats.
“Without this shift, the rapid digitisation of education will continue to outpace the sector’s ability to secure it.”
UPDATE 07/05/26
The NSW Department of Education circulated a second statement at 5.17 pm:
"The Department of Education has contacted schools that have used the Canvas platform and is working with the company Instructure to determine whether any data has been impacted.
The department considers the risk of a breach of any sensitive information to be low, and as a precaution, schools have been advised to reset passwords."
Further, only 45 schools in New South Wales use the Canvas platform, and no sensitive personal information - such as birthdates - are recorded in the platform.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.