Canvas Data Breach: What Australian Schools and Universities Should Do Now

Last updated: 13 May 2026

Update 13 May 2026: Instructure paid the ransom. Data allegedly destroyed. Incident not over for institutions.

On the evening of 11 May (US time), one day before the public deadline, Instructure confirmed it reached an agreement with ShinyHunters.

Instructure stated it received digital confirmation of data destruction, including shred logs, and assurance that no customers would be individually extorted as a result of the incident. The agreement covers all affected Instructure customers. Instructure said individual institutions do not need to engage with ShinyHunters directly.

CEO Steve Daly issued a public apology, acknowledging the company's initial response fell short. "We got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates."

Instructure did not disclose the monetary value of the agreement.

Why this does not mean the risk is over

Cybersecurity experts have been clear that paying a ransom does not guarantee safety.

Cliff Steinhauer, Director of Information Security and Engagement at the National Cybersecurity Alliance, warned that "even when criminals claim they've deleted stolen data or provide 'proof' of destruction, there is no reliable way to verify those claims, and history shows that data is often retained, resold, or used in future extortion attempts." He added that paying ransom "reinforces the economic incentive structure behind cyber extortion and signals to threat actors that targeting large education platforms can be profitable."

Allison Nixon, Chief Research Officer at Unit 221B, also warned against paying ShinyHunters, noting that while the group has proven capable in past operations, there is no guarantee of follow-through on data destruction commitments.

This is also not the first time ShinyHunters has targeted Instructure. In September 2025, the group claimed to have breached Instructure's Salesforce environment in a separate incident involving different systems.

What has changed technically

BleepingComputer confirmed the specific attack method: ShinyHunters exploited multiple cross-site scripting (XSS) vulnerabilities in Canvas. They injected malicious JavaScript through user-generated content features to obtain authenticated admin sessions and perform privileged actions. Both intrusions (29 April and 7 May) exploited the same vulnerability in the Free-For-Teacher environment.

Instructure has since temporarily shut down all Free-For-Teacher accounts and stated it is working to resolve the underlying security issues. CrowdStrike is assisting with forensic analysis, and a third-party digital forensics report has confirmed that ShinyHunters no longer has access to Instructure systems.

What Australian schools and education providers should do now

The ransom payment does not change your obligations or the practical steps you should be taking.

Continue to treat your institution as potentially compromised. Shred logs are not proof that data will not resurface.

Rotate Canvas API keys and OAuth tokens if you have not already done so.

Check your SSO configuration for unexpected changes in authentication providers.

Review Canvas admin settings for any modifications to branding or login workflows that were not made by your team.

Continue warning staff, students, and families about phishing. The stolen data (names, email addresses, course names, enrolment information) provides enough detail for convincing targeted phishing attacks referencing specific courses, institutions, or academic deadlines.

Document your full response for regulatory purposes. The OAIC and state privacy regulators may still require notification if you assess that serious harm is reasonably likely.

If you are a private school, childcare centre, or registered training organisation, your Notifiable Data Breaches obligations under the Privacy Act have not changed because the vendor paid a ransom.

Instructure has stated that Canvas is fully operational and safe to use. That may be true for the platform itself, but the downstream risk from stolen data remains an ongoing concern for every institution that used Canvas during the affected period.

Summary of the full incident

For reference, here is the complete timeline:

29 April: Instructure detects unauthorised activity in Canvas

1 May: Instructure confirms a cyberattack by a criminal threat actor

3 May: ShinyHunters claims responsibility, demands ransom by 6 May

6 May: Instructure says Canvas is operational, initial deadline passes

7 May: ShinyHunters compromises Canvas a second time, defacing 330 login portals with a ransom message. New deadline set for 12 May.

8 May: Canvas restored. Free-For-Teacher accounts suspended.

11 May: Instructure confirms agreement with ShinyHunters. CEO issues apology. Data allegedly destroyed.

12 May: Original deadline passes. No public data leak. Canvas confirmed fully operational.

This article will no longer receive daily updates. We will publish a follow-up if significant new developments occur, particularly around data resurfacing, regulatory action, or class action outcomes.

Update 12 May 2026: Deadline day. Instructure confirms both intrusions and engages CrowdStrike. Tasmania and University of Melbourne confirm exposure. Exposed data types expanded.

Today is the deadline ShinyHunters set for the release of stolen data. As of this morning (AEST), no public data dump has occurred. Cybersecurity firm Halcyon has noted that ShinyHunters removed Instructure from their data leak site shortly after defacing Canvas login pages, which the firm describes as a known pattern when negotiations have started. However, no direct communication between Instructure and ShinyHunters has been publicly confirmed.

Instructure has not stated whether it has paid a ransom or entered into negotiations. The FBI has advised against paying, and there is no guarantee that payment would prevent a future release.

Instructure confirms both intrusions and expands data disclosure

In its most detailed update to date, Instructure has now formally confirmed two rounds of unauthorised activity: the initial breach detected on 29 April and the second incident on 7 May that defaced approximately 330 institutional login pages. The company confirmed the attacker exploited a vulnerability in its Free-For-Teacher account system.

Instructure has engaged CrowdStrike to assist with forensic analysis and incident response. A separate vendor has been hired to conduct a large-scale e-discovery review of the affected data to provide institutions with more detailed information about which records were involved. Instructure has warned that this review could take "some weeks" to complete.

The company has also expanded the list of confirmed exposed data types. The initial disclosure referenced names, email addresses, student ID numbers, and messages. The updated incident page now lists usernames, email addresses, course names, enrolment information, and messages. Core learning data, including coursework and submissions, was not compromised according to Instructure.

In response, Instructure has revoked privileged credentials and access tokens tied to compromised systems, rotated internal keys, restricted token creation pathways, and added monitoring across all platforms. The company also notified the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).

New Australian developments

Tasmania's Department for Education, Children and Young People (DECYP) has confirmed it has been identified as impacted by the breach. DECYP uses Canvas to deliver, manage, and track learning across Tasmanian schools and colleges. The department stated that "investigations commenced immediately and are ongoing" and that it has "not been informed if any Tasmanian data has been obtained." DECYP has activated its cyber response governance arrangements and urged families to stay alert for scams and suspicious messages.

TasTAFE chief executive Norman Baker separately confirmed that some TasTAFE student data was compromised, including messages exchanged between students and teachers.

The University of Melbourne published a dedicated incident page on 11 May confirming that University of Melbourne data has been involved in the breach. The university stated it is working with Instructure and relevant authorities to understand the extent of the exposure, and advised students and staff to practise good cybersecurity while investigations continue.

Who else should be assessing their exposure

Reporting to date has focused on universities, TAFEs, and state schools. But Canvas is also used by private schools, independent colleges, registered training organisations, and corporate training providers for compliance, governance, and professional development. Instructure has confirmed it has many corporate users of Canvas who use the platform for professional development courses, compliance, and staff certifications. There is no indication yet whether corporate users are among those breached, but the scale of the incident means any organisation using Canvas should be confirming its exposure with Instructure.

If your organisation is a private school, childcare centre, or training provider that uses Canvas in any capacity, including through a third-party registered training organisation, you should be assessing your position now. This applies regardless of whether you have been directly contacted by Instructure.

What happens next

Whether data is released today or not, the immediate risk shifts to phishing and impersonation. The University of Auckland has warned that targeted phishing attacks, refined using the stolen data, are the most likely consequence of this breach. Names, email addresses, course enrolment information, and student IDs provide enough material for convincing scam emails that reference specific courses, institutions, or academic deadlines.

The expanded data disclosure (now including course names and enrolment information) makes these phishing risks more targeted than initially anticipated. Scam emails could reference specific subjects, academic terms, or institutional processes to appear legitimate.

All guidance from the original article and previous updates remains current. Whether data is released today or not, the steps for Australian schools, private education providers, early childhood centres, and training organisations are the same: confirm exposure, document your response, warn staff and families about phishing, and assess your notification obligations.

Update 10 May 2026: FBI warning, exploit method confirmed, Australian government coordinating response

The ShinyHunters deadline of end of day 12 May 2026 is now two days away. The breach has been described as the largest educational data breach on record.

FBI issues public warning

The FBI has confirmed it is aware of the breach and has mobilised resources across multiple US states to assist affected institutions. The agency issued a clear directive to anyone who may have been affected: do not engage with anyone who claims to have your data, do not respond to demands, and do not send payments. The FBI also warned that scammers often exaggerate or lie about their access to data in order to extract money from victims, and that receiving a message does not necessarily mean your personal information has been compromised. Anyone who receives a suspicious contact should verify it through known channels before responding.

How the breach happened

Instructure has confirmed the attack vector. ShinyHunters exploited a vulnerability in Canvas' Free-For-Teacher accounts. Instructure has temporarily shut down all Free-For-Teacher accounts as a result. The initial unauthorised activity was detected on 29 April, with the breach disclosed publicly on 1 May. API keys were also compromised, disrupting third-party integrations that rely on those keys. Instructure's chief information security officer Steve Proud confirmed the breach was "perpetrated by a criminal threat actor."

Australian government response

Australia's National Office of Cyber Security (NOCS) is now coordinating a national response to the breach. The Office of the Australian Information Commissioner has issued an official statement confirming the coordination. Australia's national cyber security coordinator, Lieutenant General Michelle McGuinness, is actively working to establish the scope of the breach.

The list of confirmed affected Australian and New Zealand institutions continues to grow:

• Queensland: Education Minister John-Paul Langbroek confirmed QLearn was affected, stating that students and staff at Education Queensland schools since 2020 may have had names, email addresses, and school locations compromised. Langbroek stated that early advice suggests the breach will impact more than 200 million people and 9,000 institutions worldwide. School principals have begun contacting families and teachers directly.
• University of Sydney: Confirmed that University of Sydney data has been impacted. The university reinstated Canvas access after completing internal reviews and testing in consultation with NOCS.
• University of Canberra: Confirmed as affected and offering extensions to students. UC stated it is part of a coordinated national response involving NOCS, the Department of Education, and Universities Australia. Some third-party tools within Canvas (Cadmus, Turnitin, FeedbackFruits) will be restored progressively from 11 May.
• RMIT University: Confirmed it has been notified and is working with Instructure to determine if RMIT data was involved.
• UTS: Reported Canvas was operating as normal but is working with Instructure to confirm whether UTS data has been compromised.
• Flinders University: Confirmed student and staff data held within Canvas may have been impacted. Precautionary steps have been taken.
• NSW Department of Education: Confirmed it is investigating whether any NSW schools have been impacted.
• Victoria University of Wellington (NZ) and Auckland University of Technology (NZ) have also confirmed impacts.

What to do before 12 May

The guidance from our original article remains current. If your institution has not yet taken these steps, the next 48 hours are critical:

• Confirm with Instructure whether your institution's data was included in the breach
• Document your response actions for potential regulatory reporting under the Notifiable Data Breaches scheme. Note: the OAIC has confirmed that not all educational institutions are covered by the Privacy Act. State and territory government schools are usually governed by state privacy laws.
• Warn all staff and students about phishing and scam emails claiming to be related to the breach
• Do not engage with anyone claiming to have your data or demanding payment
• Change passwords on any accounts where you used the same credentials as Canvas. Instructure has confirmed no Canvas passwords were compromised, but reuse of credentials on other platforms remains a risk.
• Enable multi-factor authentication on all online accounts
• If your organisation uses Canvas for staff compliance training or professional development, assess whether staff credentials or personal data may have been exposed

For further guidance, the OAIC recommends visiting the National Anti-Scam Centre's ScamWatch site at scamwatch.gov.au.

Update 8 May 2026: Second attack, ransom deadline set for 12 May

The situation has escalated significantly since this article was first published.

On 7 May, ShinyHunters compromised Canvas a second time. Students and staff attempting to log into Canvas at multiple institutions were redirected to a page displaying a ransom message. The message warned that stolen data would be released publicly unless a payment was made by 12 May 2026. Instructure had previously stated the situation was resolved.

This second incident means that even institutions that followed Instructure's initial guidance and resumed normal use of Canvas were exposed to further disruption. It also raises serious questions about Instructure's ability to contain the threat.

Additional Australian institutions confirmed affected

The list of confirmed or potentially affected Australian institutions has grown substantially:

• University of Melbourne confirmed Canvas data was involved in the breach
• Queensland Education Minister John-Paul Langbroek confirmed the state's QLearn platform was affected, impacting Queensland state school students and staff
• NSW Department of Education, WA Department of Education and Victoria Department of Education all use Canvas for teaching and professional development
• Victoria's Department of Education is still dealing with the aftermath of a separate major breach in January 2026 that affected all 1,700 Victorian government schools
• Additional institutions including Brisbane Grammar, Sacred Heart College Geelong, Mentone Grammar and Australian Catholic University are listed as Canvas customers

Internationally, the University of California system, California State University, USC, Stanford, Harvard, Duke, the University of Pennsylvania and Los Angeles community colleges have all reported impacts.

What has changed for Australian schools and childcare centres

The key development is the confirmed scale. ShinyHunters claims 3.65 terabytes of data was stolen, covering approximately 275 million user records and billions of private messages between students and teachers. While these figures have not been independently verified, the breadth of institutional confirmations suggests the breach is extensive.

For early childhood centres and childcare providers, this breach is a reminder of how third-party platform risk affects the education sector broadly. If your centre or training provider uses Canvas in any capacity, including for staff compliance training or professional development delivered through a registered training organisation, you should be assessing your exposure now. Children's personal data carries heightened sensitivity under the Privacy Act, and any potential exposure requires prompt assessment.

The original guidance below remains current. The steps have not changed, but the urgency has increased. If your institution has not yet completed a breach assessment, started documentation or contacted Instructure for confirmation, do so today. The 12 May deadline set by ShinyHunters means the window for proactive response is closing.

Author: Heinrich Lombard

On 30 April 2026, Instructure, the company behind Canvas, disclosed a disruption to its platform. By 1 May, the company confirmed it had suffered a cyberattack perpetrated by a criminal threat actor. The extortion group ShinyHunters has claimed responsibility and says it stole data tied to about 9,000 institutions and up to 275 million records worldwide, although that figure has not been independently verified. Reported data types include names, email addresses, student ID numbers and private messages between users. Instructure says passwords, dates of birth, government identifiers and financial information were not involved.

For Australian schools and universities, the main issue is not the headline number. It is whether your institution uses Canvas, whether your students' or staff data was exposed, and what your legal obligations are if it was.

Canvas is widely used in Australian education

Canvas has a significant footprint in Australian education. Multiple Australian universities and TAFEs have publicly responded to the breach, including RMIT, the University of Technology Sydney, the University of Adelaide, Flinders University and TasTAFE. On 6 May, the Queensland government confirmed that tens of thousands of students and staff in Queensland were affected. Instructure maintains an Australian presence through its local site and operations, and Canvas adoption grew substantially during the COVID-19 pandemic when institutions moved teaching online.

This is not a distant overseas incident with no local impact. Australian institutions are directly involved, and more notifications are likely in the coming days.

Are Australian institutions affected?

Yes. Several Australian institutions have already confirmed they are assessing their exposure or have been directly affected. TasTAFE has confirmed student data was compromised. The Queensland government confirmed on 6 May that tens of thousands of Queensland students and staff were affected. Universities including RMIT, UTS, the University of Adelaide and Flinders University have issued statements to students.

A full public list of all affected institutions has not been published. ShinyHunters reportedly shared a list of about 8,800 institutions with BleepingComputer, but that list has not been independently verified in full.

If your school, university or education provider uses Canvas and you have not yet received official communication, do not assume you are unaffected. Contact Instructure directly and work through your IT team, executive leadership and legal or privacy contacts.

What data was exposed?

Based on current reporting, the exposed data may include:

• Names
• Email addresses
• Student ID numbers
• Private messages between users, including students, teachers and staff

According to Instructure, the following were not exposed:

• Passwords
• Dates of birth
• Government identifiers
• Financial information

That distinction matters, but it should not create false comfort. Even without passwords or financial details, a dataset containing names, email addresses, student IDs and private communications can still create real risk.

Private messages may contain pastoral care discussions, disciplinary matters, wellbeing concerns, academic issues or other sensitive context. Even a limited dataset can be enough for targeted phishing, impersonation and reputational harm.

Why this matters in Australia

This is where many organisations get caught out. A breach at a third-party software provider does not automatically mean your organisation has no obligations. If the compromised system holds personal information you are responsible for, Australian privacy law may still require action from you.

Working with health practices and educational organisations across Queensland, we regularly see the same gaps. There is often no incident response plan, limited understanding of Notifiable Data Breaches obligations, and too much trust placed in third-party platforms without any serious security review.

I have been on the other side of incidents like this, leading response efforts for organisations under active attack, coordinating with government cyber security teams, and running the reviews afterwards. The organisations that come through it well are always the ones that had a plan before it happened.

Your obligations under Australian law

For many private education providers, the key law is the Privacy Act 1988 (Cth).

Private schools, childcare centres and private tertiary institutions are generally treated as APP entities under the Act, regardless of annual turnover. That means privacy compliance is not optional just because the organisation is small or not-for-profit. If you collect and hold personal information, you have obligations.

One of the most important obligations is under the Notifiable Data Breaches scheme. If an eligible data breach is likely to result in serious harm to affected individuals, the organisation must notify the Office of the Australian Information Commissioner, or OAIC, and notify the affected individuals.

A common mistake is assuming the vendor will handle everything. That is risky.

If the breach happened at a provider like Instructure, but the compromised data belongs to your students, parents or staff, your institution may still need to assess whether the breach is likely to result in serious harm and whether notification is required. You cannot safely assume that waiting for the software provider to issue an update is enough.

For public schools in Queensland, the position is different. They are generally covered by the Information Privacy Act 2009 (Qld) rather than the federal Privacy Act. The legal pathway is different, but the practical expectation is similar. You still need to assess the incident, document your response, understand the impact on affected individuals and follow the relevant state process.

There are also penalties for getting this wrong. Since the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, the maximum penalty for serious or repeated interference with privacy is the greater of $50 million, three times the benefit obtained, or 30% of adjusted domestic turnover for bodies corporate (that is, any incorporated organisation such as a company, incorporated association, or registered entity). For individuals, the maximum penalty is $2.5 million. The exact enforcement pathway depends on the facts and the applicable law, but the point is straightforward. Privacy obligations are real, and regulators expect organisations to take them seriously.

The right response is not panic. It is documentation, assessment and timely decision-making.

That means you should be able to answer questions like these:

• Did we use Canvas during the affected period?
• What categories of personal information did we store there?
• Were students, parents, teachers or staff affected?
• Could the exposed information reasonably create a risk of serious harm?
• What evidence have we received from Instructure?
• What internal steps have we taken to assess and reduce risk?
• Do we need to notify the OAIC, affected individuals, or both?

If you cannot answer those questions quickly, that is the problem to solve now.

What Australian schools and universities should do right now

1. Confirm whether your institution uses Canvas and whether your data was affected

Start with the obvious. Check whether your institution actively uses Canvas, which parts of the platform are in scope, and who owns the vendor relationship. Contact Instructure and ask for confirmation about whether your tenant or data was affected.

Do not stop at a generic public statement. Ask for specifics relevant to your organisation.

2. Monitor Instructure's incident updates

Track official incident communications and preserve copies of what you receive. This includes Instructure's status page, support replies and any formal notices. If regulators, parents or your board ask what you knew and when, that record matters.

3. Assess whether notification is required under the NDB scheme

If personal information relating to students, staff or families was exposed, assess whether the incident is likely to result in serious harm. That assessment should be documented, not informal.

If you are unsure, get legal advice early. Delay makes these situations harder, not easier.

4. Reset Canvas passwords and any reused credentials

Instructure says passwords were not involved, which is good news. It is still sensible to reset Canvas passwords and remind users not to reuse school credentials across other services.

Credential reuse is common. If staff or students reused the same password elsewhere, the practical risk expands well beyond Canvas.

5. Warn staff and parents about phishing

This step matters more than many institutions realise. Attackers may now have enough information to send convincing emails that look like they come from the school, a teacher, an administrator or a parent portal.

Warn staff and families to be cautious with links, attachments and urgent account messages. Tell them what official communication channels your institution will use.

6. Review your incident response plan

If you already have an incident response plan, test it against this event. If you do not have one, fix that now.

A breach is a bad time to discover nobody knows who approves notifications, who speaks to parents, or who owns regulator communications.

7. Review other third-party platforms holding student data

Canvas will not be the last vendor risk your institution faces. Review what other platforms hold student or staff data, what security controls those providers have, and whether your contracts and internal processes are strong enough.

For many schools, the biggest risk is not one breach. It is the pattern of relying on multiple third-party systems without a clear privacy and incident response framework.

What parents should do

Parents do not control the school's legal response, but they can still reduce risk. Be cautious with emails or text messages that ask you to log in, update account details or respond urgently about school systems. If a message looks important, contact the school directly using known contact details rather than the link in the message.

If your child uses Canvas, changing passwords and checking for reused credentials is a sensible precaution.

The practical takeaway

The Canvas breach is a reminder that vendor risk is still your risk. Even when the incident starts with a third-party platform, Australian schools and education providers may still need to assess exposure, document decisions and notify under privacy law.

If your organisation uses Canvas, do not wait for perfect clarity before you act. Confirm exposure, assess legal obligations and communicate clearly with the people affected.

Ozzie Geeks provides cybersecurity assessments for schools, childcare centres and educational organisations across Queensland. If you need help assessing exposure, reviewing your incident response process or understanding your notification obligations, you can contact us here or call 1300 093 780 for an initial security assessment.

FAQ

Was Canvas breached in Australia?

Yes. Several Australian universities and TAFEs have confirmed they are affected or are assessing their exposure. The Queensland government confirmed on 6 May that tens of thousands of students and staff were affected. If your institution uses Canvas, contact Instructure for confirmation of your specific exposure.

Do Australian schools have to report data breaches?

Many private schools do. Private schools are generally covered by the Privacy Act 1988 and may need to notify under the Notifiable Data Breaches scheme if a breach is likely to result in serious harm. Public schools are usually covered by state or territory privacy laws instead.

What should parents do about the Canvas data breach?

Parents should watch for phishing emails, change reused passwords, and follow official updates from their school or university. If a message looks suspicious, contact the institution directly using its published contact details.

Does the Notifiable Data Breaches scheme apply to childcare centres?

Yes. Private childcare centres are generally APP entities under the Privacy Act, regardless of turnover, and may need to comply with the Notifiable Data Breaches scheme when an eligible data breach occurs.

Author bio

Heinrich Lombard is a Consultant at Ozzie Geeks, an AI implementation, cybersecurity and managed IT consultancy serving health practices, schools, and professional services across Australia and New Zealand. He holds a Post Graduate in Cybersecurity and a Bachelor of Information Technology.

He has more than 20 years of experience in service management and security, and active experience implementing AI systems for Australian businesses.

This article provides general information only and does not constitute legal advice. If you need advice about your specific obligations under the Privacy Act or the Notifiable Data Breaches scheme, consult a qualified legal professional.

Related reading

• Essential Eight Explained for QLD Schools
• Privacy Act Obligations for Childcare Centres
• How to Build an Incident Response Plan for Small Organisations

If your organisation is a school, early childhood centre, or education provider affected by this breach, see our dedicated services for early childhood centres and cybersecurity services for education providers.