Back
Technology

Global Cybersecurity Incident Affects Canvas Learning Platform; Multiple Australian Educational Institutions Impacted

View source

Instructure Cyberattack: 9,000 Schools Hit, Including Dozens in Australia

A cybersecurity incident involving Instructure, the US-based developer of the Canvas learning management system, has affected an estimated 9,000 educational institutions worldwide, including multiple universities, TAFE colleges, and state school systems in Australia. The company later reported reaching an agreement with the attackers to return and destroy the stolen data.

Timeline of Events

The cybersecurity incident was first detected in early May. According to cybersecurity website BleepingComputer, a hacking group identifying as ShinyHunters claimed responsibility. The group reportedly demanded a ransom payment by May 12 and initially threatened to leak the data.

On May 7, some users at affected institutions reported seeing a ransom message upon attempting to log in. Systems experienced outages across multiple institutions.

Instructure later confirmed it had reached an agreement with the unauthorized actor. The company stated that the stolen data had been returned and that digital confirmation of its destruction, in the form of "shred logs," had been provided. Instructure stated that no customers would be extorted. The company did not explicitly confirm a ransom payment, stating it "reached an agreement with the unauthorised actor."

Affected Institutions and Scope

The breach impacted an estimated 9,000 institutions globally, affecting approximately 275 million users, according to some reports.

Australian institutions that confirmed or acknowledged potential impact include:

  • New South Wales: University of Technology Sydney (UTS), University of Sydney, Western Sydney University, University of Newcastle, Australian Catholic University, The King's School, Barker College, Reddam House. The NSW Department of Education reported 54 public schools were affected.
  • Queensland: Queensland state school students and staff using the QLearn platform since 2020. Queensland universities including Queensland University of Technology (QUT), Griffith University, and University of the Sunshine Coast also reported awareness of the incident.
  • Victoria: University of Melbourne, RMIT University, Melbourne Grammar School. Melbourne Archdiocese Catholic Schools stated it was assessing impact.
  • South Australia: Flinders University.
  • Tasmania: TasTAFE, Tasmanian state schools (Department for Education, Children and Young People).

Nature of Compromised Data

Instructure’s chief information security officer Steve Proud stated that the compromised data may include names, email addresses, student ID numbers, and messages exchanged among users within the system.

Multiple sources, including state education ministers and university officials, reported that there is no evidence that passwords, dates of birth, government identifiers, or financial information were accessed.

The breach originated from a vulnerability in support tickets within Instructure's Free for Teacher accounts. Instructure temporarily disabled these accounts as part of its response.

Institutional and Government Responses

  • National Cyber Security Coordinator Michelle McGuinness stated that her team is coordinating efforts with state and territory governments and education peak bodies. She advised the public not to search for data on the dark web or engage with the threat actor.
  • Queensland Education Minister John-Paul Langbroek stated that school principals are contacting families and teachers. The department is providing priority support to families known to child safety authorities or those with a history of domestic and family violence.
  • University of Technology Sydney (UTS) shut down its system as a precaution. All students were granted an automatic assignment extension until the following Monday.
  • The University of Sydney reported a global outage and stated it would work with the National Office of Cybersecurity if personal data was compromised.
  • TasTAFE reported that the breach was not a result of a breach of its own systems and that Instructure had engaged external cybersecurity specialists.
  • NSW Department of Education assessed the risk of sensitive data breach as low for the 54 affected public schools.

Instructure stated it had secured its systems and engaged law enforcement, including the FBI. The company’s CEO, Steve Daly, apologized for the breach and for communication issues, stating: "Over the past few days many of you dealt with real disruption... You deserved more consistent communication from us and we didn't deliver it."

Broader Context and Related Incidents

A separate incident involving the NSW Department of Education was detailed in an auditor-general's report released in the same period. The report identified data privacy gaps leading to a breach where two students accessed approximately 2,000 files containing mental health diagnoses and behavioral concerns of other students due to incorrect Microsoft 365 settings. That breach was among 491 incidents reported between 2023 and 2025. The department has been working to strengthen cybersecurity, and Education Minister Prue Car attributed the issues to the previous government's Local Schools, Local Decisions policy, which has since been ended.