Updated ,first published
More than five years of Queensland state school student and staff data has been compromised after a cyberattack breached the Education Department’s online learning platform.
A statement from Education Minister John-Paul Langbroek said the breach had potentially revealed names, email addresses and school locations.
“Early advice is students and staff working or studying at Education Queensland schools since 2020, when the former government introduced the online system, have been affected,” he said.
Langbroek said the Education Department had no evidence that passwords, dates of birth or financial information were accessed.
He said the department was contacting families and teachers, prioritising those with known family and domestic violence, or those known to Child Safety.
The cybersecurity breach affected a third-party educational technology company, Instructure, which the Education Department uses for its QLearn online learning management system.
Langbroek said the breach was global, and was expected to affect up to 2 million people and 9000 institutions in total.
“The Department of Education will continue to update Queenslanders as further information is available,” the minister said.
Premier David Crisafulli said the breach was shocking and disappointing.
“It will leave every Queensland parent who’s caught up in this, and their kids, feeling crook in the gut,” he said.
Crisafulli, who received a briefing alongside the minister, said the department was seeking urgent information from Instructure.
Instructure owns Canvas, a learning management system also used by multiple Queensland universities, including Queensland University of Technology, Griffith University, and University of the Sunshine Coast.
UniSC released a statement on Wednesday afternoon confirming it was aware of a breach, which it said had affected “some Canvas user information”.
Online security company CyberCX’s education industry lead Lou Robertson said about 10 per cent of incidents his organisation responded to in 2025 involved education institutions.
“The education sector remains a highly attractive target for cyber criminal groups given the significant amounts of student data and information these organisations hold and the complexity of their technology environments,” he said.
The founder of cybersecurity firm Dvuln, Jamieson O’Reilly, said parents who had their children’s data taken in the breach could be more vulnerable to phishing scams created using that information and generative AI.
“This is operational, not theoretical, and it has been for some time,” O’Reilly said.
He said an attacker could create a false message using writing samples from leaked communications to seek payment, and urged parents who suspected their child’s data had been compromised to save verified school contact details.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
David Swan is the technology editor for The Age and The Sydney Morning Herald. He was previously technology editor for The Australian newspaper.Connect via X or email.
