A major cybersecurity breach has affected thousands of schools and universities across Australia, resulting in the exposure of private and sensitive data belonging to millions of teachers and students.
.The breach involved Instructure, a third-party provider that operates online learning platforms including Canvas and QLearn, which are widely used by educational institutions across Australia
John-Paul Langbroek, Queensland’s Education Minister, said the cyberattack also affected international institutions and could potentially impact more than 200 million people and over 9,000 institutions worldwide.
He said early findings suggest that both students and staff using QLearn through Education Queensland may have been affected. According to authorities, compromised information includes names, email addresses, and school locations.
However, officials stated there is currently no evidence that passwords, dates of birth, or financial information were accessed.
Langbroek said school principals are in the process of informing affected families and teachers, while additional support is being provided to vulnerable groups, including families linked to domestic violence and child safety services.
Several universities have also reported potential impacts from the breach.
University of Technology Sydney said it is working with Instructure and Australian authorities to determine whether student information was compromised.
RMIT University confirmed it had been notified of the cyber incident affecting the Canvas learning management system and is investigating whether any university data was involved.
TasTAFE in Tasmania also confirmed that data associated with some customer accounts had been accessed by a criminal third party. The institution stated that the incident was linked to Instructure’s systems and not a breach of its own infrastructure.
TasTAFE said the compromised data may include personal information and content stored within Canvas, such as messages, but there is no indication that passwords, government identifiers, or financial information were exposed.
Meanwhile, Western Sydney University and Flinders University are also reportedly among the institutions affected, while several other universities using Canvas are continuing investigations into possible data exposure.
