This week, US-based education technology provider Instructure announced a significant cybersecurity incident affecting its Canvas system. This is used by schools and universities around the world, including in Australia.
Cyber crime group ShinyHunters has claimed responsibility. On Thursday, the group claimed it had breached Instructure in another attack. Almost 9,000 educational institutions, involving 275 million students, teachers and staff are understood to be caught up in the data breach.
The hack has seen school login pages defaced. In Australia, students at institutions such as the University of Melbourne have been unable to submit assignments amid a global outage. The Queensland government’s “early advice” is students and staff working or studying at public schools since 2020 have been affected.
Instructure confirmed the exposed information may include names, email addresses, student identification numbers and private messages exchanged between users.
Learning is online – and so is student information
Canvas is widely used across the Australian education sector. It is one of several digital “learning management systems” that deliver teaching, assessment, communication and student support services.
Other common systems include Moodle and Blackboard, which help institutions manage coursework, assessments, attendance, analytics (like student engagement) and student administration.
The rapid growth of online and hybrid education (where students learn online and in person) has encouraged the adoption of these systems in schools and universities.
Many institutions now operate these systems through cloud-based models rather than maintaining all infrastructure internally. Students and staff can access these platforms through web browsers, desktop applications and mobile devices.
As a result, education providers now store significant volumes of sensitive information digitally.
While these systems provide flexibility and accessibility, they also create highly interconnected digital environments that can become attractive targets for cybercriminals.
A shift is happening
The Canvas incident is not the only breach. In 2025, there were reports ransomware attacks in schools and universities had jumped by 23% over the previous year.
But there is also an important shift occurring.
Earlier breaches often affected a single university or school through ransomware or compromised internal systems.
In contrast, incidents involving Canvas and another platform, PowerSchool, demonstrate a growing “platform concentration risk”. This is where one cyber incident can rapidly affect thousands of institutions and millions of students simultaneously because so many organisations rely on the same providers. Sadly, it is not just the education sector that is vulnerable to such incidents, any service reliant on internet can be be affected.
Read more:
An Amazon outage has rattled the internet. A computer scientist explains why the ‘cloud’ needs to change
Another emerging concern is the increasing sensitivity of the information exposed. Recent incidents reportedly involve private communications within educational environments among all stakeholders (students, teachers, and staff). This raises broader concerns around privacy, safety, mental wellbeing and institutional trust.
What do we need to do to better protect student information?
The Canvas incident highlights how dependent the education sector has become on large cloud and education technology platforms.
When widely used systems experience cyber incidents, the effects can quickly spread across thousands of institutions and millions of students. Schools and universities therefore need stronger oversight of vendors and clearer accountability regarding how student data is stored, shared and protected.
Institutions also need stronger access controls. This needs to involve multi-factor authentication, tighter identity management, encryption and “zero trust” approaches. This means every access request is continuously verified.
Sensitive information relating to student wellbeing, counselling or disability support should receive additional protection and restricted access.
Cyber awareness across the education community must also improve. Students, parents and teachers are often targeted through phishing and impersonation scams after breaches occur.
Governments should also consider stronger and more consistent cyber resilience standards for education technology providers.
As it stands, breaches can potentially affect privacy, safety, trust and mental wellbeing across the broader community.
