Australian universities and schools have been placed on high alert following a cybersecurity attack that took the Canvas learning management system offline. The breach, which targeted the cloud-based platform operated by US company Instructure, initially occurred on May 2 and has since impacted thousands of institutions worldwide.
Outage and Ransom Message
On Friday, the system went offline for many universities, with some students, including those at the University of Sydney, reporting that they had received a ransom message posted through the platform. The message, attributed to the hacking group ShinyHunters, claimed responsibility for the breach and criticised Instructure for ignoring the attackers and implementing only minor security patches.
The University of Sydney confirmed that Canvas had been experiencing a global outage since 6am on Friday after Instructure placed it into maintenance mode. The university stated that it is one of approximately 9,000 institutions affected by the outage and is awaiting clear guidance from Instructure.
Impact on Institutions
The University of Melbourne has also been impacted by the outage and has extended deadlines over the weekend. Other affected institutions include South Australia's Flinders University, RMIT in Melbourne, Tasmania's Technical and Further Education Institute, and the University of Technology Sydney.
Queensland Education Minister John-Paul Langbroek revealed that names, email addresses, and school locations had been compromised in the breach, but there is no evidence that passwords, dates of birth, or financial information were accessed.
Official Response
Instructure confirmed the incident in a post on its status website over the weekend, stating that it is actively investigating the cybersecurity incident with the help of outside forensics experts. The company's chief information security officer, Steve Proud, noted that the incident appeared to have been contained, and further updates would be shared directly with customers.
National Cybersecurity Coordinator Michelle McGuinness confirmed the incident and stated that her team is working closely with state and territory governments and education peak bodies to address the impacts. She added that there is no sign that personal identification documents or financial information have been affected, but the full impact is not yet clear.
McGuinness advised anyone impacted by the cyber incident to maintain heightened awareness of potential scam activity.
