Powered by
MOMENTUM
MEDIA
A massive Canvas data breach has impacted students at Australia’s top universities, disrupting classroom operations and raising fears of “far-reaching” consequences from the stolen personal data.
Schools and universities worldwide have been struck by what is widely described as the largest security breach in educational history, after the popular online learning platform Canvas was targeted in a major data attack.
As first reported by Lawyers Weekly’s sister brand, Cyber Daily, the ShinyHunters cyber extortion group has claimed responsibility for the massive data breach affecting cloud education provider Instructure and its Canvas online platform.
Between 3 and 5 May 2026, the hackers reported they had compromised the data of 275 million students and staff across “nearly 9,000” schools and universities across the globe.
However, the list ShinyHunters released on 5 May, dubbed the “Entire List of Affected Schools” on its dark web leak site, included just over 2,700 institutions – well short of the roughly 9,000 originally claimed.
The leaked data revealed that 177 Australian schools, universities, and institutions were affected, including some of the nation’s most prestigious universities, such as the University of Sydney, University of Technology Sydney (UTS), Australian National University, and the University of Melbourne.
Following the incident, UTS deputy vice-chancellor and vice-president (academic) Professor Kylie Readman confirmed on 10 May that Canvas access had been “fully restored”, with “no evidence of unauthorised access or any loss” of university data.
Last week, Instructure confirmed the data breach and announced it is collaborating with governments and educational institutions globally to assess the full scope of the attack.
The global scale of the breach is vast, but for Australia, the situation is alarming, with government education bodies and universities investigating the impact on students and teachers.
Speaking with Cyber Daily, Miguel Fornés, information security manager at cyber security firm Surfshark, warned that the scale of the attack goes well beyond a routine IT breach, with the stolen student data posing potentially “far-reaching” risks for victims.
“An attack of this magnitude transcends an isolated IT incident. The consequences for the victims are far-reaching, as stolen student data can be weaponised for lifelong identity theft, financial fraud, and extortion,” Fornés said.
“As a student, could you imagine your emotional response if you received an email requesting to confirm your data by the end of the semester? Wouldn’t you be tempted or desperate to log in and confirm the problem?”
Fornés slammed the reliance on outdated school systems, calling them easy prey for AI-driven attacks, and stressed that digital hygiene must become everyone’s responsibility, not just the IT department’s.
“Educational institutions still relying on legacy systems rather than modern architectures will be targeted as ‘low-hanging fruit’ by automated attacker-bots. Once categorised as an easy target, an institution is guaranteed to face a relentless barrage of aggressive, highly targeted strikes that easily overwhelm basic defences or unsuspected users,” Fornés said.
“Digital hygiene education must become a priority for all public groups if society is to keep pace with the advent of AI. Cyber security is no longer a responsibility that can be entirely outsourced to underfunded school IT teams, government agencies, or corporations.”
Former FBI agent and chief information security officer at Arctic Wolf, Adam Marrè, described the breach as a stark wake-up for the education sector, stressing that personal data and sprawling networks make schools irresistible targets unless third-party risks are aggressively managed.
“Timely reminder for schools and universities of the growing risk organisations face when it comes to third-party platforms or SaaS providers. What makes this incident significant is that even when an organisation is not directly compromised, attackers are increasingly looking for opportunities to exploit the wider technology stack,” Marrè said.
“The education sector remains a highly attractive target due to the volume of personal data and the complexity of managing large student and staff networks.
“Incidents like this should prompt a call-to-action for schools and universities to reassess third-party risk management and incident response planning because cyber security today extends well beyond an organisation’s own perimeter.”
Want to see more stories from trusted news sources?
Make Lawyers Weekly a preferred news source on Google.
Click here to add Lawyers Weekly as a preferred news source.
