Cyber Incident Victim: RMIT University
Date:
May 2026
Location:
Australia
Summary
RMIT University is working with Instructure to determine whether its data was affected by a cyber incident involving the Canvas learning management system, which a well-known threat group claimed responsibility for. The incident, disclosed after Instructure’s initial notification, may have exposed personal information such as messages stored in Canvas but reportedly did not involve passwords, dates of birth, government identifiers or financial data. Several other Australian universities and TAFEs have issued similar statements, noting that Canvas continues to operate normally within their environments while investigations proceed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 7, 2026, Australian universities and TAFEs disclosed potential exposure to a cyber incident involving the Canvas learning management system over the past 24 hours. The institutions named in the disclosures included RMIT University, the University of Technology Sydney, TasTAFE Tasmania and Western Sydney University. TasTAFE provided the most detailed account of the incident among the reporting organisations. TasTAFE stated that Instructure, the owner of Canvas, first notified it of the cyber incident on May 2, 2026. Instructure subsequently provided further details on May 6, 2026, indicating that a criminal third party was involved. TasTAFE emphasized that the incident related to Instructure’s systems and was not the result of a breach of TasTAFE’s own systems or processes. TasTAFE reported that investigations commenced immediately and were ongoing at the time of its disclosure.
Based on current advice from Instructure, TasTAFE said the data involved may include some personal information, such as content stored within Canvas including messages. TasTAFE noted that Instructure had not yet provided information identifying specific individuals affected by the incident. TasTAFE also said there was no indication that passwords, dates of birth, government identifiers or financial information were involved in the breach.
RMIT University issued a brief notice stating it was working with the vendor to confirm whether RMIT data had been involved and to understand any impacts resulting from the breach. The University of Technology Sydney issued a similarly worded statement indicating it was working with Instructure to confirm whether UTS data had been compromised and to fully understand potential impacts if a breach had occurred. UTS added that it was also working with relevant Australian authorities as part of its response. Western Sydney University said it was working with the vendor to examine potential exposure to the incident. All reporting institutions noted that Canvas continued to operate normally within their respective environments. A well‑known threat group has claimed responsibility for the attack.