Tens of thousands of Queensland students and teachers have been swept up in one of the most significant global education technology data breaches in recent memory, as the criminal extortion group ShinyHunters claimed responsibility for an attack on Instructure — the US-based company behind the widely used Canvas learning management system (LMS).
Queensland Education Minister John-Paul Langbroek confirmed the breach on Thursday, stating that students and staff at Queensland state schools who have used the system since 2020 are likely affected. The breach is part of a global incident that Instructure says may have impacted more than 200 million people worldwide across more than 9,000 schools, universities, and other institutions.
According to Instructure's chief information security officer Steve Proud, the attack exposed certain user-identifying information including names, email addresses, student ID numbers, and messages exchanged between users on the platform. The Queensland government confirmed that names, email addresses, and school locations are among the data likely compromised for local students and staff.
Instructure has stated there is no evidence that passwords, dates of birth, government identifiers, or financial information were accessed. The compromised data has not yet been publicly released, though ShinyHunters set a deadline of 6 May 2026 for Instructure to pay an undisclosed ransom or face a leak of what the group claims amounts to several billion private messages and 3.65 terabytes of data.
30 Apr: Instructure reports disruption to API-dependent tools across the Canvas platform
1 May: Instructure confirms a criminal threat actor is responsible; outside forensics experts engaged
2 May: Instructure announces the incident is believed to be contained; some user data confirmed as accessed
3 May: ShinyHunters lists Instructure on its dark web leak site with a "Pay or Leak" demand
3 May: Canvas Data 2 service restored for most customers
5 May: TasTAFE (Tasmania) confirms student data was compromised
6 May: Queensland government publicly confirms tens of thousands of students and staff affected; ShinyHunters' ransom deadline expires
ShinyHunters is a financially motivated criminal extortion group with a prolific track record in 2025 and 2026. The group has previously claimed responsibility for breaches at Ticketmaster, Google, the University of Pennsylvania, Princeton, Harvard, Amtrak, ADT, and fintech lender Figure, as well as a prior social engineering attack on Instructure's Salesforce instance in September 2025. Security researchers note the group's preferred method involves exploiting Salesforce misconfigurations and OAuth integrations with overly broad access scopes to authenticate as legitimate users and exfiltrate data through normal API channels.
"The Canvas breach is a reminder that no platform is immune: there are countless widely used systems that remain attractive targets for sophisticated bad actors, including nation-states." — Anton Dahbura, Executive Director, Johns Hopkins University Information Security Institute
Canvas is used extensively across the Asia-Pacific region. In addition to Queensland's state school network — which uses Canvas through the QLearn platform — institutions in New Zealand including Victoria University of Wellington, Auckland University of Technology, and the University of Auckland have confirmed they are assessing their exposure. The University of Auckland noted that phishing is the most likely immediate consequence if its data has been accessed, and recommended that students and staff be alert to unexpected emails requesting personal information.
The Queensland government has confirmed it is providing priority support to families known to child safety authorities or those with a known history of domestic and family violence — an acknowledgement that even the relatively limited data exposed (names, emails, school locations) can pose meaningful harm in certain circumstances.
Third-Party and Supply Chain Aggregation Risk. As Insurance Business Magazine's New Zealand desk reported, the Canvas event is a textbook example of a third-party and supply chain cyber incident affecting multiple insured organisations simultaneously — the precise scenario that creates aggregation risk for underwriters. A single vendor breach touching thousands of institutions raises the question of how many policies across a portfolio are triggered by the same root cause. Market participants are monitoring whether events of this type translate into higher severity claims, sub-limits being tested for business interruption, and adjustments to wording around supply chain coverage triggers.
Notification Obligations Under Australian Law. The incident has immediate regulatory implications. As Gallagher has outlined in its analysis of Australian cyber and privacy duties, entities covered by the Privacy Act that hold personal information must notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs that is likely to result in serious harm. Following 2022 amendments, maximum penalties now reach up to AU$50 million, or three times the value of any benefit obtained through misuse of information, or 30% of a company's domestic turnover — whichever is greater.
Additionally, Queensland's Information Privacy and Other Legislation Amendment Act 2023 introduced state-level breach notification requirements for Queensland public sector agencies, expected to take full effect in July 2026. Given the Queensland government's direct involvement in this incident through the QLearn platform, the notification and regulatory response will be closely watched as a test case.
Mandatory Ransomware Reporting. Australia's Cyber Security Act 2024 introduced mandatory ransomware payment reporting from May 2025 for businesses with annual revenue above $3 million. Any payment made to ShinyHunters — or to a ransom negotiator acting on behalf of an insured — would trigger disclosure obligations to the Australian Signals Directorate (ASD) within 72 hours. Brokers advising clients on ransom response should ensure clients are aware of this obligation, and that paying a ransom to a sanctioned entity may violate Australian financial sanctions law regardless of insurance coverage.
Coverage Triggers and Policy Review. This breach may test coverage across several policy lines simultaneously: cyber (first- and third-party), professional indemnity (particularly for managed service providers and edtech vendors), and directors' and officers' liability where regulatory action follows. Cyber insurance carriers are increasingly asking pointed questions about third-party access controls, OAuth grant inventories, and identity provider posture at renewal — and a breach tracing back to a vendor an insured failed to properly assess can affect coverage decisions.
Education Sector Risk Profile. The education sector has become a prime target for ransomware and extortion groups. The Instructure breach follows PowerSchool's 2024 breach affecting an estimated 62 million students, and Illuminate Education's breach which led to an FTC enforcement action in 2025. PowerSchool separately settled charges related to its Naviance platform handling of student data for US$17.25 million in early 2026. This pattern suggests regulators on both sides of the Pacific are sharpening their focus on edtech vendors.
Brokers with education sector clients — including private schools, universities, and vocational training providers — should consider proactively reaching out to confirm whether those clients use Canvas, and whether they have received notification from Instructure. Even where data has not yet been confirmed as affected, the incident highlights potential gaps in vendor due diligence and supply chain risk assessments that underwriters are increasingly scrutinising at renewal.
For clients who have been notified, the immediate priorities are: assessing whether the breach meets the NDB scheme's "eligible data breach" threshold; determining whether a 72-hour ASD notification obligation applies if any ransom payment is under consideration; and engaging an incident response team — costs for which are typically covered under cyber policies — to manage communications and regulatory obligations.
Underwriters reviewing education sector risks at upcoming renewals should be asking clients about their reliance on third-party learning management platforms, the controls they apply to vendor access, and whether they have tested their incident response plans for supply chain breach scenarios.
ShinyHunters' stated deadline for Instructure to pay — or face a public data dump — falls on 6 May 2026, the same day Queensland's education minister made his public statement. As of publication, the data has not been publicly released, and Instructure says its investigation is ongoing. The situation remains fluid. The extent of Australian institutional exposure beyond Queensland is not yet fully known, and further notifications from universities and other registered training organisations are likely in coming days.
Insurance Business Australia will continue to monitor and report on this incident as further information becomes available.
