The Queensland government says that students and staff working or studying at state schools since 2020 may have been caught up in a breach of global education systems vendor, Instructure.
QLearn, the state’s digital learning management platform, is backed by Instructure’s Canvas, which was recently targeted by a well-known threat group.
A case study published by the vendor states that QLearn is used by “1264 K-12 schools, their 572,160 students [and by] 73,000-plus teaching staff.”
Queensland’s education minister John-Paul Langbroek said in a statement that a limited number of data fields are thought to have been affected.
“Early advice is students and staff working or studying at Education Queensland schools since 2020 … have been affected,” Langbroek said.
“Advice at this stage is names, email addresses and school locations have been compromised in the international data breach.
“No evidence of passwords, dates of birth or financial information being accessed in the data breach.”
Langbroek said that school principals are “in the process of contacting families and teachers to advise them of the breach.”
Earlier today, iTnews reported that multiple institutions including RMIT University, UTS, TasTAFE Tasmania and Western Sydney University were urgently assessing their potential exposure to the incident.
TasTAFE said that Canvas’ owner Instructure first notified of the cyber incident on May 2. However, it said that yesterday the vendor provided further details, advising “that a criminal third party” was involved.
Universities and schools worldwide have made similar disclosures.
Given the breadth of potential exposures, the National Cyber Security Coordinator Lieutenant General Michelle McGuinness is now also involved.
“My team is coordinating efforts to respond and understand what Australian data may be impacted,” McGuinness wrote in a LinkedIn post.
“We are in the early stages of assessing the impacts, and I will share further updates as we gain a better understanding of the incident.”
