Queensland Education Data Exposed in Global Cyberattack

Key facts

• Tens of thousands of Queensland students and staff affected by a global data breach.
• Names, email addresses, and school locations compromised.
• Instructure, provider of QLearn and Canvas, confirmed a cybersecurity incident.
• ShinyHunters hacking group claimed responsibility for the breach.
• Data compromised dates back to 2020.
• No evidence of passwords, dates of birth, or financial information being accessed.
• National Office of Cyber Security is coordinating the response.

Millions Worldwide Affected by Learning Platform Breach

A significant cybersecurity incident has exposed the personal data of millions globally, with Australian education institutions now scrambling to assess the fallout. The breach, which affected the cloud-based Canvas learning management system developed by American company Instructure, has impacted thousands of educational providers worldwide. Among those confirmed to have suffered compromised data are state schools in Queensland and Tasmania, universities across New South Wales and South Australia, and TAFE institutions in Tasmania. Instructure, a multinational company providing various resources to educational bodies, acknowledged the cybersecurity incident on its customer status page over the weekend. The company stated it was working rapidly to understand the extent of the breach and implement measures to mitigate its impact. Chief Information Security Officer Steve Proud later provided an update, indicating the incident had been "contained" and that initial investigations suggested the compromised information included identifying details of users at affected institutions. Cybersecurity experts noted that the notorious hacking group ShinyHunters has claimed responsibility for the attack. This development has placed educational institutions across Australia on high alert, prompting urgent responses to safeguard student and staff information. The National Office of Cyber Security is now coordinating efforts to respond to the incident and ascertain the full scope of Australian data affected.

Queensland Students and Staff Data Exposed Since 2020

In Queensland, the breach has compromised data belonging to students and staff of state schools dating back to 2020, when the Department of Education introduced its online learning platform, QLearn. Education Minister John-Paul Langbroek confirmed that early advice indicates names, email addresses, and school locations were potentially revealed. He stressed, however, that the department has found no evidence suggesting that passwords, dates of birth, or financial information were accessed. Instructure is the parent company behind Canvas, a learning management system widely adopted by numerous Queensland universities, including Queensland University of Technology, Griffith University, and the University of the Sunshine Coast. The University of the Sunshine Coast confirmed it was aware of a breach that had affected "some Canvas user information." The scale of the global breach is substantial, with estimates suggesting up to 2 million people and 9,000 institutions could be affected in total. Premier David Crisafulli described the breach as "shocking and disappointing," expressing concern for the emotional impact on parents and children. He stated that the department was urgently seeking further information from Instructure. The Education Department is actively contacting families and teachers, with priority support being offered to those with known experiences of family and domestic violence or who are known to Child Safety authorities.

Third-Party Risk Magnifies Education Sector Vulnerabilities

The incident underscores the growing vulnerability of the education sector to third-party cyber risks. Instructure's QLearn platform, used by the Queensland Department of Education, and its Canvas system, employed by numerous universities, represent critical digital infrastructure for learning and administration. The compromise of this infrastructure highlights how a single point of failure at a service provider can cascade into widespread data exposure for a vast number of individuals. Michelle McGuinness, national cyber security coordinator, stated that her team is in the initial stages of assessing the impacts and will provide further updates as understanding improves. She advised individuals who believe they may be affected to avoid responding to unsolicited contact. This recommendation aims to prevent potential phishing attacks or further exploitation of the exposed information. Industry experts observe that a significant portion of cybersecurity incidents now involve educational institutions. Lou Robertson, education industry lead at CyberCX, noted that approximately 10 percent of incidents his organisation responded to in 2025 involved educational bodies, indicating a persistent trend of targeting within this sector.

Response and Support for Affected Individuals

The Queensland Department of Education is actively engaged in communicating with affected families and teachers. This outreach is being prioritised for individuals who may be particularly vulnerable due to known circumstances, such as family and domestic violence or involvement with Child Safety services. The department has committed to providing ongoing updates as more information becomes available from Instructure. Nationally, the federal government's National Office of Cyber Security is playing a central role in coordinating the response. This involves working with state and territory governments, as well as educational institutions, to understand the full scope of the breach and to develop appropriate mitigation strategies. The focus is on providing clear guidance and support to affected individuals and institutions. Instructure has stated it continues to investigate the incident and is taking steps to minimise its impact. The company's chief information security officer, Steve Proud, assured that while the investigation is ongoing, initial findings suggest that sensitive information like passwords and financial details were not compromised. The emphasis remains on identifying the full extent of the compromised data and ensuring robust security measures are in place moving forward.

The bottom line

• A global data breach affecting the Instructure learning platform has exposed personal details of tens of thousands of Queensland students and staff.
• Compromised data includes names, email addresses, and school locations dating back to 2020.
• No evidence suggests that passwords, dates of birth, or financial information were accessed.
• The hacking group ShinyHunters has claimed responsibility for the attack.
• The National Office of Cyber Security is coordinating a national response to the incident.
• Educational institutions are increasingly vulnerable to third-party cyber risks.