Back to blog
Cybersecurity

Canvas Data Breach: What Australian Schools and Universities Should Do Now

7 May 2026
8 min read

Canvas Data Breach: What Australian Schools and Universities Should Do Now

Last updated: 8 May 2026

Update 8 May 2026: Second attack, ransom deadline set for 12 May

The situation has escalated significantly since this article was first published.

On 7 May, ShinyHunters compromised Canvas a second time. Students and staff attempting to log into Canvas at multiple institutions were redirected to a page displaying a ransom message. The message warned that stolen data would be released publicly unless a payment was made by 12 May 2026. Instructure had previously stated the situation was resolved.

This second incident means that even institutions that followed Instructure's initial guidance and resumed normal use of Canvas were exposed to further disruption. It also raises serious questions about Instructure's ability to contain the threat.

Additional Australian institutions confirmed affected

The list of confirmed or potentially affected Australian institutions has grown substantially:

  • University of Melbourne confirmed Canvas data was involved in the breach
  • Queensland Education Minister John-Paul Langbroek confirmed the state's QLearn platform was affected, impacting Queensland state school students and staff
  • NSW Department of Education, WA Department of Education and Victoria Department of Education all use Canvas for teaching and professional development
  • Victoria's Department of Education is still dealing with the aftermath of a separate major breach in January 2026 that affected all 1,700 Victorian government schools
  • Additional institutions including Brisbane Grammar, Sacred Heart College Geelong, Mentone Grammar and Australian Catholic University are listed as Canvas customers

Internationally, the University of California system, California State University, USC, Stanford, Harvard, Duke, the University of Pennsylvania and Los Angeles community colleges have all reported impacts.

What has changed for Australian schools and childcare centres

The key development is the confirmed scale. ShinyHunters claims 3.65 terabytes of data was stolen, covering approximately 275 million user records and billions of private messages between students and teachers. While these figures have not been independently verified, the breadth of institutional confirmations suggests the breach is extensive.

For early childhood centres and childcare providers, this breach is a reminder of how third-party platform risk affects the education sector broadly. If your centre or training provider uses Canvas in any capacity, including for staff compliance training or professional development delivered through a registered training organisation, you should be assessing your exposure now. Children's personal data carries heightened sensitivity under the Privacy Act, and any potential exposure requires prompt assessment.

The original guidance below remains current. The steps have not changed, but the urgency has increased. If your institution has not yet completed a breach assessment, started documentation or contacted Instructure for confirmation, do so today. The 12 May deadline set by ShinyHunters means the window for proactive response is closing.

Author: Heinrich Lombard

On 30 April 2026, Instructure, the company behind Canvas, disclosed a disruption to its platform. By 1 May, the company confirmed it had suffered a cyberattack perpetrated by a criminal threat actor. The extortion group ShinyHunters has claimed responsibility and says it stole data tied to about 9,000 institutions and up to 275 million records worldwide, although that figure has not been independently verified. Reported data types include names, email addresses, student ID numbers and private messages between users. Instructure says passwords, dates of birth, government identifiers and financial information were not involved.

For Australian schools and universities, the main issue is not the headline number. It is whether your institution uses Canvas, whether your students' or staff data was exposed, and what your legal obligations are if it was.

Canvas is widely used in Australian education

Canvas has a significant footprint in Australian education. Multiple Australian universities and TAFEs have publicly responded to the breach, including RMIT, the University of Technology Sydney, the University of Adelaide, Flinders University and TasTAFE. On 6 May, the Queensland government confirmed that tens of thousands of students and staff in Queensland were affected. Instructure maintains an Australian presence through its local site and operations, and Canvas adoption grew substantially during the COVID-19 pandemic when institutions moved teaching online.

This is not a distant overseas incident with no local impact. Australian institutions are directly involved, and more notifications are likely in the coming days.

Are Australian institutions affected?

Yes. Several Australian institutions have already confirmed they are assessing their exposure or have been directly affected. TasTAFE has confirmed student data was compromised. The Queensland government confirmed on 6 May that tens of thousands of Queensland students and staff were affected. Universities including RMIT, UTS, the University of Adelaide and Flinders University have issued statements to students.

A full public list of all affected institutions has not been published. ShinyHunters reportedly shared a list of about 8,800 institutions with BleepingComputer, but that list has not been independently verified in full.

If your school, university or education provider uses Canvas and you have not yet received official communication, do not assume you are unaffected. Contact Instructure directly and work through your IT team, executive leadership and legal or privacy contacts.

What data was exposed?

Based on current reporting, the exposed data may include:

  • Names
  • Email addresses
  • Student ID numbers
  • Private messages between users, including students, teachers and staff

According to Instructure, the following were not exposed:

  • Passwords
  • Dates of birth
  • Government identifiers
  • Financial information

That distinction matters, but it should not create false comfort. Even without passwords or financial details, a dataset containing names, email addresses, student IDs and private communications can still create real risk.

Private messages may contain pastoral care discussions, disciplinary matters, wellbeing concerns, academic issues or other sensitive context. Even a limited dataset can be enough for targeted phishing, impersonation and reputational harm.

Why this matters in Australia

This is where many organisations get caught out. A breach at a third-party software provider does not automatically mean your organisation has no obligations. If the compromised system holds personal information you are responsible for, Australian privacy law may still require action from you.

Working with health practices and educational organisations across Queensland, we regularly see the same gaps. There is often no incident response plan, limited understanding of Notifiable Data Breaches obligations, and too much trust placed in third-party platforms without any serious security review.

I have been on the other side of incidents like this, leading response efforts for organisations under active attack, coordinating with government cyber security teams, and running the reviews afterwards. The organisations that come through it well are always the ones that had a plan before it happened.

Your obligations under Australian law

For many private education providers, the key law is the Privacy Act 1988 (Cth).

Private schools, childcare centres and private tertiary institutions are generally treated as APP entities under the Act, regardless of annual turnover. That means privacy compliance is not optional just because the organisation is small or not-for-profit. If you collect and hold personal information, you have obligations.

One of the most important obligations is under the Notifiable Data Breaches scheme. If an eligible data breach is likely to result in serious harm to affected individuals, the organisation must notify the Office of the Australian Information Commissioner, or OAIC, and notify the affected individuals.

A common mistake is assuming the vendor will handle everything. That is risky.

If the breach happened at a provider like Instructure, but the compromised data belongs to your students, parents or staff, your institution may still need to assess whether the breach is likely to result in serious harm and whether notification is required. You cannot safely assume that waiting for the software provider to issue an update is enough.

For public schools in Queensland, the position is different. They are generally covered by the Information Privacy Act 2009 (Qld) rather than the federal Privacy Act. The legal pathway is different, but the practical expectation is similar. You still need to assess the incident, document your response, understand the impact on affected individuals and follow the relevant state process.

There are also penalties for getting this wrong. Since the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, the maximum penalty for serious or repeated interference with privacy is the greater of $50 million, three times the benefit obtained, or 30% of adjusted domestic turnover for bodies corporate (that is, any incorporated organisation such as a company, incorporated association, or registered entity). For individuals, the maximum penalty is $2.5 million. The exact enforcement pathway depends on the facts and the applicable law, but the point is straightforward. Privacy obligations are real, and regulators expect organisations to take them seriously.

The right response is not panic. It is documentation, assessment and timely decision-making.

That means you should be able to answer questions like these:

  • Did we use Canvas during the affected period?
  • What categories of personal information did we store there?
  • Were students, parents, teachers or staff affected?
  • Could the exposed information reasonably create a risk of serious harm?
  • What evidence have we received from Instructure?
  • What internal steps have we taken to assess and reduce risk?
  • Do we need to notify the OAIC, affected individuals, or both?

If you cannot answer those questions quickly, that is the problem to solve now.

What Australian schools and universities should do right now

1. Confirm whether your institution uses Canvas and whether your data was affected

Start with the obvious. Check whether your institution actively uses Canvas, which parts of the platform are in scope, and who owns the vendor relationship. Contact Instructure and ask for confirmation about whether your tenant or data was affected.

Do not stop at a generic public statement. Ask for specifics relevant to your organisation.

2. Monitor Instructure's incident updates

Track official incident communications and preserve copies of what you receive. This includes Instructure's status page, support replies and any formal notices. If regulators, parents or your board ask what you knew and when, that record matters.

3. Assess whether notification is required under the NDB scheme

If personal information relating to students, staff or families was exposed, assess whether the incident is likely to result in serious harm. That assessment should be documented, not informal.

If you are unsure, get legal advice early. Delay makes these situations harder, not easier.

4. Reset Canvas passwords and any reused credentials

Instructure says passwords were not involved, which is good news. It is still sensible to reset Canvas passwords and remind users not to reuse school credentials across other services.

Credential reuse is common. If staff or students reused the same password elsewhere, the practical risk expands well beyond Canvas.

5. Warn staff and parents about phishing

This step matters more than many institutions realise. Attackers may now have enough information to send convincing emails that look like they come from the school, a teacher, an administrator or a parent portal.

Warn staff and families to be cautious with links, attachments and urgent account messages. Tell them what official communication channels your institution will use.

6. Review your incident response plan

If you already have an incident response plan, test it against this event. If you do not have one, fix that now.

A breach is a bad time to discover nobody knows who approves notifications, who speaks to parents, or who owns regulator communications.

7. Review other third-party platforms holding student data

Canvas will not be the last vendor risk your institution faces. Review what other platforms hold student or staff data, what security controls those providers have, and whether your contracts and internal processes are strong enough.

For many schools, the biggest risk is not one breach. It is the pattern of relying on multiple third-party systems without a clear privacy and incident response framework.

What parents should do

Parents do not control the school's legal response, but they can still reduce risk. Be cautious with emails or text messages that ask you to log in, update account details or respond urgently about school systems. If a message looks important, contact the school directly using known contact details rather than the link in the message.

If your child uses Canvas, changing passwords and checking for reused credentials is a sensible precaution.

The practical takeaway

The Canvas breach is a reminder that vendor risk is still your risk. Even when the incident starts with a third-party platform, Australian schools and education providers may still need to assess exposure, document decisions and notify under privacy law.

If your organisation uses Canvas, do not wait for perfect clarity before you act. Confirm exposure, assess legal obligations and communicate clearly with the people affected.

Ozzie Geeks provides cybersecurity assessments for schools, childcare centres and educational organisations across Queensland. If you need help assessing exposure, reviewing your incident response process or understanding your notification obligations, you can contact us here or call 1300 093 780 for an initial security assessment.

FAQ

Was Canvas breached in Australia?

Yes. Several Australian universities and TAFEs have confirmed they are affected or are assessing their exposure. The Queensland government confirmed on 6 May that tens of thousands of students and staff were affected. If your institution uses Canvas, contact Instructure for confirmation of your specific exposure.

Do Australian schools have to report data breaches?

Many private schools do. Private schools are generally covered by the Privacy Act 1988 and may need to notify under the Notifiable Data Breaches scheme if a breach is likely to result in serious harm. Public schools are usually covered by state or territory privacy laws instead.

What should parents do about the Canvas data breach?

Parents should watch for phishing emails, change reused passwords, and follow official updates from their school or university. If a message looks suspicious, contact the institution directly using its published contact details.

Does the Notifiable Data Breaches scheme apply to childcare centres?

Yes. Private childcare centres are generally APP entities under the Privacy Act, regardless of turnover, and may need to comply with the Notifiable Data Breaches scheme when an eligible data breach occurs.

Author bio

Heinrich Lombard is a Consultant at Ozzie Geeks, a cybersecurity and managed IT consultancy serving health practices, schools, and professional services across Queensland. He holds a Post Graduate in Cybersecurity and a Bachelor of Information Technology.

This article provides general information only and does not constitute legal advice. If you need advice about your specific obligations under the Privacy Act or the Notifiable Data Breaches scheme, consult a qualified legal professional.

Related reading

  • Essential Eight Explained for QLD Schools
  • Privacy Act Obligations for Childcare Centres
  • How to Build an Incident Response Plan for Small Organisations

If your organisation is an early childhood centre or childcare provider affected by this breach, see our dedicated IT, cybersecurity and managed IT services for early childhood centres.