Data breaches at schools are arguably a parent's worst nightmare.
2026 has already seen a raft of breaches impacting third-party service providers and individual schools alike, and a recent government audit on the security and privacy of student information has shown that while vital work is being done, gaps in compliance, access control, and oversight remain.
Given the recent Instructure/Canvas breach, which saw schools across the country impacted by a third-party breach perpetrated by the ShinyHunters cyber extortion group, one finding is particularly galling.
According to the Audit Office, while 98 per cent of schools use three third-party platforms to manage student data – Compass, SchoolBytes and Sentral – the New South Wales Department of Education did not consider those systems as ‘crown jewels’ until “early 2026”.
Thankfully, the Audit Office added that “higher levels of oversight, assurance and protective controls” are now being implemented by the Department.
The audit also found that not only did the Department rarely monitor the compliance of third-party platforms, but they were also often deployed without adequate oversight in some school environments.
“The department’s marketplaces give schools a range of approved third-party digital products for school administration and online learning. It centrally manages contracts with third-party vendors, including terms to protect the security and privacy of student information,” the audit found.
“However, some schools use third-party products outside of these marketplaces and without departmental oversight or controls to protect student information.”
The audit found that school principals were all too often given technical responsibilities but were often left to rely upon their own judgment rather than consistent operational guidance. Similarly, the Auditor General noted that access to student data was not limited to those who strictly needed such access in relation to their roles and responsibilities.
“Schools apply access controls inconsistently, and some staff access more information than they need or retain access after they leave a school,” the audit said.
“The department does not oversee or control staff access to third‑party school administration systems, which hold large amounts of student information.”
The Department of Education has said it supports and will act upon all of the Audit Office’s findings.
“The Department has already commenced work in several areas identified by the audit and will strengthen its governance, oversight, and assurance arrangements relating to the management of student information across departmental, school, and third-party environments,” Murat Dizdar, Secretary of the NSW Department of Education, said in response to the audit.
“The Department is committed to completing these reforms by July 2027, consistent with the Auditor General’s timeframe.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.