By Sonia Isaacs
Thousands of Queensland students and teachers have had personal information exposed in a global cyberattack targeting a major online learning platform used by schools and universities worldwide, prompting urgent warnings from the State Government and cybersecurity authorities.
Education Minister John-Paul Langbroek confirmed on Thursday morning (May 7) he had been briefed by the Department of Education about the international breach involving Instructure, the provider of the QLearn online learning system used across Queensland state schools.
The incident is understood to have affected more than 9,000 educational institutions globally and could impact more than 200 million people, including students and staff in Queensland schools dating back to 2020 when the platform was introduced under the former Government.
Early investigations indicate compromised data includes names, email addresses and school locations. Authorities say there is currently no evidence passwords, dates of birth or financial information were accessed.
School principals across Queensland have begun contacting families and staff to advise them of the breach, while the Department of Education has moved to provide priority assistance to vulnerable families, including those linked to Child Safety and people affected by domestic and family violence.
Mr Langbroek said the department would continue updating Queenslanders as further information became available.
The breach centres on Canvas, a widely used online learning management system operated by Instructure and used by schools, universities and TAFEs across Australia and overseas.
In an online statement, Instructure chief information security officer Steve Proud confirmed the company had “recently experienced a cybersecurity incident perpetrated by a criminal threat actor”.
“We are actively investigating this incident with the help of outside forensics experts,” Mr Proud said.
“Thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses and student ID numbers, as well as messages among users.”
He said there was “no evidence that passwords, dates of birth, government identifiers or financial information were involved”.
As a precaution, Instructure has advised institutions to enforce multi-factor authentication on privileged accounts, review administrator access and rotate API tokens and security keys where applicable.
Australian universities and TAFEs spent Thursday assessing their potential exposure, with institutions in Queensland, Tasmania, New South Wales and South Australia among those confirmed to be affected.
The National Office of Cyber Security is understood to be monitoring the incident as investigations continue into the scale of the breach and the identity of those responsible.