By Sonia Isaacs
THOUSANDS of Queensland students and staff, have had personal information exposed in a global cyber attack targeting the Canvas learning platform, prompting urgent warnings from the State Government and schools across the region.
Education Minister John-Paul Langbroek confirmed he was briefed last Thursday (May 7) on the international breach involving Instructure, the company behind the QLearn system used in Queensland state schools since 2020.
The incident is believed to have affected more than 9,000 educational institutions worldwide and could involve more than 200 million users.
Early investigations indicate exposed data may include names, email addresses, school locations and student ID numbers, although authorities say there is no evidence that passwords, dates of birth or financial information were accessed.
Schools across Queensland, including Maleny State High School, have begun notifying families and staff.
Principal Deb Stewart said she had been advised by the department’s Deputy Director-General for Digital Innovation, Darrin Bond, to reinforce online safety measures.
She said guidance, had been provided to help schools respond consistently and support families to stay eSafe.
Mr Bond urged vigilance while investigations continue, with schools instructed to monitor updates and report concerns through a dedicated departmental inbox. Principals have also been provided online safety resources for parents and staff.
Glass House Mountains state school principal Ian Persini also reassured families that the Department of Education is working closely with Instructure and the Queensland Government Cyber Security Unit.
He said there were repeated assurances that passwords and financial information were not at risk, but warned families to remain alert to phishing attempts and suspicious messages.
Instructure chief information security officer Steve Proud confirmed the company was investigating the “cybersecurity incident perpetrated by a criminal threat actor” with external forensic experts.
He said early findings suggested the compromised data involved identifying information and user messages, but no evidence of sensitive financial or password data.
The National Office of Cyber Security is also monitoring the incident as authorities work to determine the full scale of the breach and those responsible.
