Back
Technology

Global Data Breach at Instructure's Canvas Platform Affects Millions of Users Worldwide

Generated on: Last updated: 12 sources
View source

Canvas Data Breach: Millions of Students and Staff Affected Globally

A cybersecurity incident involving Instructure, the developer of the Canvas learning management system, has compromised the data of millions of students, teachers, and staff at thousands of educational institutions worldwide, including numerous facilities in Australia. The breach was first reported on May 2 (Australian time) and has prompted responses from affected institutions, cybersecurity authorities, and law enforcement.

The hacking group ShinyHunters has claimed responsibility for the attack and is demanding an undisclosed ransom from Instructure.

Scope of the Incident

The breach has affected approximately 9,000 institutions globally. Estimates of the total number of individuals impacted range from 200 million to 275 million. The hacking group ShinyHunters has claimed responsibility for the attack.

According to cybersecurity industry website BleepingComputer, the group is demanding an undisclosed ransom from Instructure. Some users at affected institutions reported seeing a ransom message from ShinyHunters upon attempting to log in on May 7.

Instructure believes the incident has been contained. The company has engaged external cybersecurity specialists and law enforcement, including the FBI, to investigate the matter.

Compromised Data

According to Instructure's Chief Information Security Officer Steve Proud and statements from affected institutions, the following types of data may have been accessed:

  • Names
  • Email addresses
  • School or institution locations
  • Student identification numbers
  • Messages exchanged between users (teachers, students, and parents)

Authorities have stated that there is no evidence that passwords, dates of birth, government identifiers, or financial information were compromised.

The compromised data has not been publicly released as of the latest reports.

Affected Australian Institutions

Queensland

  • State schools using the QLearn platform (in use since 2020)
  • Queensland University of Technology, Griffith University, and University of the Sunshine Coast

New South Wales

  • 54 public schools (as reported by the NSW Department of Education)
  • University of Technology Sydney (UTS), Western Sydney University, and University of Sydney
  • The King's School, Barker College, and Reddam House

Victoria

  • University of Melbourne and RMIT University
  • Melbourne Grammar (stated no evidence of student data being stolen)
  • Melbourne Archdiocese Catholic Schools (assessing impact)

Tasmania

  • State schools
  • TasTAFE

South Australia

  • Flinders University

Other

  • University of Newcastle

Institutional Responses

Educational Authorities

Queensland Education Minister John-Paul Langbroek stated that school principals are contacting affected families and teachers. The Department of Education is providing priority support to families known to child safety authorities or those with a history of domestic and family violence.

TasTAFE reported that Instructure notified the institution that a criminal third party accessed its data. The incident was specific to Instructure's systems and not a breach of TasTAFE's own network.

Tasmania's Department for Education, Children and Young People (DECYP) Acting Secretary Ross Smith stated the department had not been informed if Tasmanian public school data was obtained.

Universities

University of Technology Sydney: Deputy Vice-Chancellor Kylie Readman stated the institution is working with Instructure to confirm compromised data. UTS shut down its system as a precaution, and all students received an automatic assignment extension.

University of Sydney: The university experienced a global outage. A spokesperson stated the university is assessing if personal data was compromised.

University of Melbourne: A spokesperson confirmed notification of the incident and stated the university is working with the vendor.

RMIT University: The institution stated it was assessing whether its data was involved and that Canvas remains operational.

Flinders University: A spokesperson confirmed student and staff data within Canvas may have been impacted.

Private Schools

The King's School: An internal investigation found unauthorized access between April 25 and 29. Stolen data was believed to be limited to student names and assignments.

Barker College: The school informed parents that external specialists are managing the situation.

Reddam House: Stated there was no evidence of disclosure of passwords, dates of birth, government identifiers, or financial information.

Government and Law Enforcement Response

National Cyber Security Coordinator Michelle McGuinness stated that her team is coordinating efforts to respond and assess the impact. She advised that institutions remain open and will contact students and staff directly if service interruptions occur.

She advised the public not to search for data on the dark web or engage with the threat actor.

Background

Canvas is a cloud-based learning management system developed by Instructure, a company based in Salt Lake City, Utah, USA. The platform is used by approximately 9,000 educational institutions worldwide. In Queensland, it has been used as the QLearn platform since 2020.

The breach follows a separate January 2025 cyberattack on the Victorian Department of Education.