New Zealand universities are assessing their exposure to a global cyber incident involving the Canvas learning management system after unauthorised access was reported on the platform used for teaching and assessment.
Canvas, used by tertiary institutions worldwide, was accessed without authorisation by a “criminal threat actor,” according to a notice from its parent company, Infrastructure. The incident involved certain user-identifying information, including names, email addresses, messages, and student ID numbers. The company has said there is no evidence that passwords, dates of birth, or government, or financial information were accessed.
According to Stuff’s report, Victoria University of Wellington confirmed that “bad actors” had gained unauthorised access to its student system as part of the wider breach. The university said it was “one of a large number of institutions affected globally” after being notified of an incident impacting its Nuku learning management system, which is based on Canvas. In a message to staff and students, the university said its internal systems were “operating as usual without issues.” Officials added there was “no suggestion of student assessment data being impacted” and “no indication that passwords or single sign-on credentials have been compromised.”
A cybersecurity team at the university is working with Infrastructure to establish the scope of the incident and “what data has been affected.” The university said no data had been “released publicly” and that it would keep its community “updated as we learn more.” Staff and students were formally advised of the incident on Wednesday morning. The case points to the concentration of operational and privacy risk in large, shared platforms where many institutions depend on the same technology vendor for core teaching and assessment functions.
Auckland University of Technology and the University of Auckland also use Canvas and have been reviewing potential impacts on their systems and data. An announcement to AUT students noted that nearly 9,000 institutions worldwide use Canvas and said the university’s ICT team was investigating any implications for staff and students. “We know situations like this can feel unsettling,” the notice said. In a statement, AUT said the platform remained available. “We are actively monitoring potential impacts, taking precautions to keep AUT’s applications secure, and will continue to keep students and staff informed,” the university said.
The University of Auckland told students it was still working to determine whether any of its data had been affected. “We will continue to monitor the situation closely and provide further updates if required,” the university said. As of Wednesday afternoon, it reported no confirmed impact on its systems. From an insurance perspective, the Canvas event is another example of third‑party and supply chain cyber incidents that can affect multiple insured organisations at the same time, raising questions around aggregation, notification obligations, and coverage triggers under cyber, professional indemnity and other policies.
The university incident is unfolding against a backdrop of rising reported cyber losses and higher‑impact incidents in New Zealand. In its Cyber Security Insights report for the third quarter of 2025, the National Cyber Security Centre (NCSC) said it received 1,249 incident reports between July 1 and Sept. 30, 2025. Direct financial losses reported to the centre reached $12.4 million during the period, a 118% increase from $5.7 million in the previous quarter. The centre attributed much of this rise to a small number of high‑value incidents involving unauthorised or falsified transfers of funds. Out of the 1,249 incidents logged, 110 were triaged for specialist technical support because they were considered of potential national significance, almost double the 56 such incidents recorded in the second quarter of 2025.
The NCSC also reported more incidents involving malicious software. Its quarterly feature article focused on recent developments in malware and protective measures available to organisations and individuals. Scams and fraud remained the largest incident category for the quarter, with 446 reports. Phishing and credential harvesting accounted for 355 reports, making it the second‑largest category. The NCSC observed a 50% increase in scams involving employment and business opportunities and outlined common job‑related scams and warning signs in a separate feature article.
The combination of the Canvas incident and NCSC statistics reflects several ongoing trends: the prominence of credential‑based attacks and email compromise, the role of malware‑as‑a‑service offerings, and the systemic risk associated with reliance on global platforms in sectors such as education. The higher volume of potentially nationally significant incidents and the quarter‑on‑quarter rise in reported financial losses may influence cyber underwriting assumptions around controls such as multi‑factor authentication, email security, vendor risk management, and incident response capability.
The education sector’s response to the Canvas breach may also provide further information on notification practices, engagement with third‑party providers, and the handling of personal and student data. Market participants are monitoring whether events of this type translate into higher severity claims, sub‑limits being tested for business email compromise and social engineering, and adjustments to wording around third‑party and supply chain incidents in New Zealand cyber programs.
