Australian schools warned they remain vulnerable after Canvas ransom deal

Australian schools and universities affected by the global Canvas cyberattack are being warned that student data may still be at risk, despite the platform’s parent company reaching an agreement with the hacking group behind the breach.

Instructure, the US-based company that develops the Canvas learning management system, said this week it had reached an agreement with the unauthorised actor responsible for the incident and had received digital confirmation that stolen data had been destroyed. The company also said it had been told that its customers would not be extorted as a result of the breach.

The attack has been linked to ShinyHunters, a hacking group that claimed responsibility for breaching Canvas and threatened to release stolen data unless a ransom was paid. The group claimed the incident affected nearly 9,000 schools and institutions globally, although the full scale of the breach has not been independently verified.

Instructure has not confirmed whether money changed hands as part of the agreement. Cybersecurity experts, however, have suggested that such arrangements often involve a ransom payment. Reuters reported that ransomware negotiator Kurtis Minder said it was likely some form of payment was made, although the terms of the deal remain undisclosed.

The breach affected schools and universities in several countries, including Australia. Local reports have identified impacts across Australian schools, universities and vocational providers, with student data including names, email addresses, usernames, student ID numbers, course names, enrolment information and messages potentially exposed. Instructure has said it found no evidence that passwords, dates of birth, government identifiers or financial information were compromised.

Australian institutions affected by the incident reportedly include public schools, private schools and major universities. Some institutions temporarily disabled Canvas access, offered extensions to students or warned staff and students to watch for phishing and scam emails.

Cyber safety experts have warned that even if the hackers deleted the data, schools remain vulnerable. A deal with criminals does not provide the same assurance as a verified forensic recovery, and stolen data can be copied, segmented, resold or reused before any claimed destruction occurs.

University of Queensland cyber security professor Ryan Ko told the ABC that paying or negotiating with hackers can create further risk by signalling that an organisation may be willing to deal with criminals. He warned that organisations that pay can end up on so-called “sucker lists”, making future extortion attempts more likely.

The risk to students and staff may continue well after the immediate breach. Education sector data can be used to craft convincing phishing emails, impersonate teachers or administrators, target parents, and build profiles of young people over time. EducationHQ reported that Australian schools should prepare for a wave of highly targeted phishing scams following the breach.

The incident has also raised broader questions about the security of education technology platforms. Schools increasingly rely on third-party systems for learning materials, assignments, communications, enrolment information and student records. When those platforms are compromised, the impact can spread across hundreds or thousands of institutions at once.

For schools, the immediate priority is to communicate clearly with students, parents and staff, monitor for suspicious emails, review account security, and work with platform providers to understand exactly what data was accessed. For students and parents, the safest approach is to be wary of unexpected emails, login prompts, messages about assignments or fees, and any communication asking for credentials or personal information.

The Canvas breach is a warning that schools are attractive targets for cybercriminals. They hold valuable personal data, rely on complex digital systems and often lack the security resources of large corporations. Even after a vendor says an incident has been resolved, the consequences can continue through scams, identity risks and further attempts to exploit trust inside school communities.

Photo Credit: DepositPhotos.com