A massive global cybersecurity incident targeting U.S.-based education technology provider Instructure has sent shockwaves through Australia’s education sector, leaving schools, universities and regulatory bodies scrambling to assess damage and mitigate risks to students and staff.
Instructure, the multinational firm behind widely used education platforms including Canvas and Queensland’s state government-run QLearn, confirmed last week that it had suffered a data breach that allowed unauthorized actors to access user information. Hackers have claimed they obtained sensitive data tied to more than 200 million users across over 9,000 educational institutions worldwide, with Australian users counting among those impacted.
Queensland’s Education Minister John-Paul Langbroek released a public statement Thursday confirming that any student or staff member who has interacted with state-run Queensland schools via the QLearn online platform since 2020—when the system was rolled out by the previous state government—is potentially affected. As of initial assessments, compromised information is limited to names, email addresses, and affiliated school locations. Langbroek emphasized that investigators have not found any evidence that passwords, dates of birth, or financial records have been accessed by the bad actors behind the breach.
The incident has triggered urgent concern among Australian education and safety officials, particularly for high-vulnerability groups. Priority support is being directed to families and educators who are registered with child safety authorities, as well as those currently experiencing family or domestic violence, whose exposed locations and contact details could put them at heightened risk. School principals across Queensland are currently contacting affected families and staff directly to inform them of the incident and available support.
While the full scope of impact across Australia remains unclear, Queensland is far from the only region affected. Instructure’s other major platform Canvas, a learning management system adopted by most Australian tertiary institutions, has also confirmed potential data exposures. Flinders University in South Australia, the University of Melbourne, and Tasmania’s Technical and Further Education (TAFE) institution have all publicly confirmed that they received notifications from Instructure about unauthorized third-party access to data held on their Canvas systems. A Flinders University spokesperson told the Australian Broadcasting Corporation that staff and student data hosted on the platform “may have been impacted.”
Instructure has responded publicly to the incident, claiming that the breach has already been contained. In a final status update posted to its website Wednesday, the company stated that all Canvas systems remain fully operational, and no ongoing unauthorized activity has been detected on its networks. In an earlier statement from Chief Information Security Officer Steve Proud, the company reiterated that while investigations are ongoing, only limited identifying information has been exposed, with no evidence that sensitive data such as government IDs, passwords or financial details was accessed. The company has not yet issued additional comment responding to specific questions about the scope of impact in Australia.