Hackers Demand Ransom Over Global Canvas Data Breach

Key facts

• Hackers calling themselves ShinyHunters are demanding an undisclosed ransom from Instructure, the parent company of Canvas.
• The breach potentially exposed names, email addresses, student ID numbers, and private messages.
• Up to 2 million people and 9000 institutions globally may be affected by the cyberattack.
• Data dating back to 2020 from Queensland state schools has been compromised.
• Universities including the University of Melbourne and RMIT University have confirmed their data was involved.
• Australia's National Cybersecurity Co-ordinator advised vigilance against phishing attempts.
• The hackers claim to have stolen 3.65 terabytes of data.

Global Educational Platform Hit by Cyberattack

A significant international cyberattack has infiltrated Canvas, a widely used learning management and communication system, placing sensitive personal and academic information at risk. Hackers, identifying as ShinyHunters, are reportedly holding vast amounts of data to ransom, demanding payment from Canvas's parent company, Instructure. The breach has sent ripples through educational institutions across Australia and globally, prompting urgent investigations and public advisories. The scale of the infiltration is considerable, with hackers claiming to have exfiltrated 3.65 terabytes of data. This trove is said to include billions of private messages exchanged between students and teachers, alongside identifying information such as names, email addresses, and student identification numbers. The potential ramifications for affected individuals are substantial, raising concerns about identity theft and targeted phishing attacks. Institutions in Victoria and Queensland, Australia, have confirmed their involvement in the breach. The University of Melbourne and RMIT University have notified students and staff that some of their data may have been compromised. Melbourne Grammar School also informed families of the incident, though it expressed a belief that no student data was accessed. The Victorian Department of Education, which uses a different system, has not yet indicated any impact on its schools.

Queensland Data Compromised Since 2020

In Queensland, the breach has affected the Education Department's QLearn online learning platform, a system provided by Instructure. State school student and staff data dating back to 2020, when the online system was first implemented by the former government, has been compromised. Early assessments suggest that names, email addresses, and school locations are among the exposed details. Education Minister John-Paul Langbroek stated that there is currently no evidence to suggest that passwords, dates of birth, or financial information were accessed. The department is actively contacting affected families and teachers, with a priority placed on those known to be involved in family and domestic violence cases or Child Safety matters. The global nature of the breach is expected to impact up to 2 million individuals and approximately 9000 institutions worldwide. Queensland universities, including Queensland University of Technology, Griffith University, and the University of the Sunshine Coast, also use Instructure's Canvas system. UniSC confirmed it was aware of a breach affecting some of its Canvas user information. The cybersecurity breach at Instructure underscores a growing trend, with one cybersecurity expert noting that about 10 percent of incidents his organisation responded to in 2025 involved educational institutions.

ShinyHunters' Demands and Data Claims

The cybercriminal group ShinyHunters has emerged as the alleged perpetrator behind the widespread breach. This group is known for targeting organisations and demanding ransom payments in exchange for not releasing stolen data or for its return. In this instance, they are reportedly seeking an undisclosed sum from Instructure, the company that owns and operates the Canvas platform. ShinyHunters claims to possess a substantial volume of data – 3.65 terabytes – which they assert includes billions of private messages. The potential exposure of these communications between students, teachers, and parents raises significant privacy concerns. Beyond messages, the hackers claim to have obtained identifying information that could be exploited for malicious purposes. Instructure has acknowledged the incident and is working with affected institutions to determine the full extent of the compromise. The company's response is crucial in managing the fallout and reassuring the thousands of educational bodies that rely on its services. The demand for ransom highlights the escalating sophistication and audacity of cybercriminal operations targeting critical infrastructure.

Official Warnings and Protective Measures

Australia's National Cybersecurity Co-ordinator, Michelle McGuinness, confirmed the cyberattack and issued guidance to the public. She advised families to remain vigilant for suspicious emails and other unsolicited online communications. The primary concern following such breaches is the potential for criminals to use the stolen personal information to trick victims into revealing further details, which can then be used to access other accounts, including financial ones. Phil Grutzner, headmaster of Melbourne Grammar, echoed these sentiments, urging caution online. He explained that phishing is the most likely consequence if an individual's data has been accessed. This involves attackers posing as legitimate entities to steal sensitive information like login credentials or financial details. Premier of Queensland, David Crisafulli, described the breach as "shocking and disappointing," acknowledging the distress it would cause to parents and students. Both he and Minister Langbroek have been receiving briefings and are seeking urgent information from Instructure to understand the full scope of the incident and its impact on Queenslanders.

Broader Implications for Educational Technology

The Canvas data breach is not an isolated incident but part of a broader pattern of cyber threats targeting the education sector. The reliance of modern learning on digital platforms makes these systems attractive targets for cybercriminals seeking valuable personal data. The compromise of a system used by 9000 institutions globally underscores the interconnectedness of the digital educational landscape and the cascading risks associated with a single point of failure. Educational institutions often handle vast quantities of sensitive data, including personal details of minors, making them particularly vulnerable. The financial and reputational damage from such breaches can be immense, alongside the erosion of trust between students, parents, and the institutions themselves. The incident serves as a stark reminder of the need for robust cybersecurity measures and continuous vigilance in the face of evolving threats. As investigations continue, the focus will be on Instructure's response, the extent of data exfiltration, and the effectiveness of protective measures implemented by affected institutions. The long-term consequences may include increased scrutiny of third-party vendor security and a push for more stringent data protection regulations within the education technology sphere.

The bottom line

• Hackers known as ShinyHunters are demanding a ransom from Instructure, the parent company of the Canvas learning platform, following a global data breach.
• The breach potentially exposed personal information including names, email addresses, student IDs, and private messages from up to 9000 institutions worldwide.
• Data from Queensland state schools dating back to 2020 has been confirmed as compromised.
• Several Australian universities, including the University of Melbourne and RMIT, have confirmed their data was involved.
• Authorities are warning of increased phishing risks and advising individuals to be wary of unsolicited communications.
• The incident highlights the vulnerability of educational technology platforms and the sensitive data they hold.