





















Education departments across the country are responding to a major breach at a third-party cloud education platform; expert warns: “third-party risk can no longer be treated as a procurement or compliance exercise”.
The New South Wales Department of Education is investigating the impact of a third-party data breach that has already compromised school students and staff in Queensland.
“The department is aware of the publicly reported data breach affecting Instructure's Canvas platform,” a department spokesman told Cyber Daily.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
“The department is working with Instructure to establish if any NSW schools have been impacted and the nature of any data involved.
“Schools using the departmental sign-on do not have their passwords stored with Canvas, so there is no risk of credential exposure in those cases.”
Cyber Daily understands that many schools in NSW procure the Canvas platform directly from Instructure, while the Department has said any schools impacted by the breach will be supported.
The Queensland Education Minister confirmed today, May 7, that Education Queensland schools were impacted by the Instructure incident, which first came to light late last week.
“Advice at this stage is names, email addresses, and school locations have been compromised in the international data breach. No evidence of passwords, dates of birth, or financial information being accessed in the data breach,” John-Paul Langbroek said earlier today.
“School principals are in the process of contacting families and teachers to advise them of the breach.”
The ShinyHunters cyber extortion group is behind the incident and is claiming to have compromised millions of students and staff globally, and thousands of schools. In total, the hackers claim to have stolen more than 3.6 terabytes of data.
National response
Lieutenant General Michelle McGuinness, Australia’s National Cyber Security Coordinator, said in a post to LinkedIn that she was actively working to establish the scope of the breach.
"We are in the early stages of assessing the impacts, and I will share further updates as we gain a better understanding of the incident," Lieutenant General McGuinness said.
"If you think you may be impacted by this breach, the best way you can protect yourself is to not respond to unsolicited contact."
Tasmania’s Department of Education is also investigating the incident.
"Investigations commenced immediately and are ongoing. At this stage, while DECYP has been identified as being impacted by the cyber security incident, the specific impact of the incident is subject to further investigation by Instructure," a Department spokesperson said in a statement.
The University of Technology Sydney and the University of Sydney are also working on a response.
"If a breach of personal data has occurred, we will notify affected individuals and work closely with the National Office of Cybersecurity to manage the impact of the incident," a USyd spokesperson said.
"The university is one of approximately 9,000 educational institutions worldwide that is potentially impacted."
Why education?
Kash Sharma, Managing Director, ANZ, at cyber security firm BlueVoyant, said that breaches such as Instructure’s show that “schools are becoming an increasingly attractive target for cybercriminals”.
“Earlier this year, more than 1,700 Victorian government schools were similarly affected, exposing sensitive student records just as families prepared for the new school year,” Sharma told Cyber Daily.
“These incidents underscore a growing reality: education systems are no longer defending only their own networks, but also the expanding ecosystem of external vendors, platforms, and service providers connected to them.”
The issue is the sheer scope of the attack surface in the education sector. Not only are third-party providers such as Instructure driving attacks, but so are cloud services more generally, the adoption of online learning tools, and growing amounts of personal data held on aging school networks.
“For education leaders, third-party risk can no longer be treated as a procurement or compliance exercise. Institutional resilience now depends on the security posture of every connected vendor,” Sharma said.
“Effective third-party risk management requires continuous oversight across the full vendor lifecycle – from due diligence and onboarding through to ongoing monitoring, auditing, and incident response. Schools and education departments must move beyond static assessments and establish continuous visibility into vendor activity, security controls, and emerging threats.
“Without this shift, the rapid digitisation of education will continue to outpace the sector’s ability to secure it.”
Want to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Tags:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。