Major data breach sees student details compromised - Australian Broadcasting Corporation

Canvas data breach leaves education providers scrambling as student data compromised Topic: Data Privacy Wed 6 May Wednesday 6 May Canvas is a learning management software used by educational facilities across the world. (ABC News) In short: Thousands of education providers have been affected by a global data breach, including universities, vocational providers and some state schools in Australia. Names, locations of study, email addresses, and messages between users are among the details believed to have been compromised. What's next? The federal government's National Office of Cyber Security is coordinating a response. Education institutions around the country are scrambling to respond to a global data breach that has affected Australian universities, TAFE and public schools in at least two states. Almost 9,000 institutions worldwide are clients of the cloud-based Canvas learning management system, developed by American company Instructure, which was subjected to the hack. Among providers confirmed to have been affected are state schools in Queensland and Tasmania, universities in NSW and South Australia and TAFE in Tasmania.  In a post over the weekend on its status page for customers, Instructure said it had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor". "We are working quickly to understand the extent of the incident and actively taking steps to minimise its impact," wrote Instructure chief information security officer Steve Proud. This morning Mr Proud gave an update, saying the company believed it had "contained" the security incident. "While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," he wrote. "At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions." In a statement on social media, national cyber security coordinator Michelle McGuinness said her team was coordinating efforts to respond and understand what Australian data may be affected. "We are in the early stages of assessing the impacts, and I will share further updates as we gain a better understanding of the incident," she said.  "If you think you may be impacted by this breach, the best way you can protect yourself is to not respond to unsolicited contact."  Cyber security industry website BleepingComputer said notorious hacking group ShinyHunters had claimed responsibility for the breach. The group recently also claimed responsibility for hacking developer Rockstar — the makers of one of the largest video game franchises in the world, Grand Theft Auto. Data from that breach was released online after a ransom was not paid. It is understood the compromised Canvas data has not been publicly released at this stage. State schools, universities and TAFE affected Tens of thousands of Queensland students and teachers studying or working at Queensland state schools since 2020 are among those affected, according to the state government. In a statement, education minister John-Paul Langbroek said early advice suggested more than 200 million people could be impacted worldwide by the data breach, across more than 9,000 schools, universities and other institutions, and that principals would contact affected families. Instructure delivered the Queensland Education Department's online learning platform, QLearn. John-Paul Langbroek says tens of thousands of Queensland students have been affected by the data breach. (ABC Gold Coast: Dominic Cansdale) Mr Langbroek said his department was providing "priority support" to families known to child safety authorities, or those with a known history of domestic and family violence, and that school principals were in the process of contacting families and teachers about the breach. Queensland Teachers' Union president Cresta Richardson has called for a thorough investigation into how the breach occurred and how similar incidents could be prevented in the future. "This is a serious security failure that will no doubt cause great concern for the Queensland Teachers' Union members, students, and school communities," she said in a statement. "Concerned members are urged to keep in contact with school leaders for the latest advice on mitigating any potential ongoing security issues." Tasmania's Department of Education also confirmed state schools used the Canvas platform to track learning between staff and students and that it had been notified about the breach. "Investigations commenced immediately and are ongoing. At this stage, while DECYP [Department of Children, Education and Young People] has been identified as being impacted by the cyber security incident, the specific impact of the incident is subject to further investigation by Instructure," it said in a statement. Tasmanian provider TasTafe yesterday revealed some of its students had been compromised following a cybersecurity attack on the Canvas learning management system, developed by Instructure, while other education institutions were investigating the impacts. Speaking on 936 ABC Hobart Mornings, TasTAFE chief executive Norman Baker said he had been told hackers were demanding a ransom, and that some of the data stolen by the hackers was from chats between students and teachers. A New South Wales Department of Education spokesperson said they were working to determine if any NSW schools had been impacted. "The department considers the risk of a breach of any sensitive information to be low, and as a precaution, schools have been advised to reset passwords," they said.  Several universities have issued statements confirming they are aware of the cyber incident, including the University of Melbourne, Flinders University in Adelaide, University of Newcastle, University of Technology Sydney, Western Sydney University and University of Sydney. Luke Irwin from Aegis Cybersecurity, which offers services in Brisbane, said it was concerning that younger students had been impacted.  Luke Irwin says such attacks on technology providers are becoming more common. (ABC News: Mark Leonardi) "This is the first time many of these students and adolescents will have had their data compromised in this way," he said.  "At this point the value of that data isn't going to be incredibly high, because they don't have credit cards, they don't have car loans, they don't have drivers licences. But it is a starting point."  He said recent data breaches impacting large Australian companies had created rich data sets for hackers.  "This type of attack is becoming more and more common," he said.