Cyber Incident Victim: Education Queensland

Instructure's Canvas platform, used by Queensland's QLearn, was targeted by a well-known threat group. The vendor first notified of the cyber incident on May 2, 2026, and provided further details on May 6, 2026, indicating involvement of a criminal third party. Queensland's education minister John-Paul Langbroek announced on May 7, 2026 that students and staff who have worked or studied at Education Queensland schools since 2020 may have been affected. He stated that early advice indicates names, email addresses and school locations were compromised, while there is no evidence that passwords, dates of birth or financial information were accessed. The minister noted that QLearn serves 1,264 K-12 schools, 572,160 students and over 73,000 teaching staff.

School principals are in the process of contacting families and teachers to advise them of the breach. The National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, said her team is coordinating efforts to respond and understand what Australian data may be impacted. She added that they are in the early stages of assessing impacts and will share further updates as they gain a better understanding of the incident. Other institutions, including RMIT University, UTS, TasTAFE Tasmania and Western Sydney University, are urgently assessing their potential exposure to the incident. TasTAFE noted that Instructure first notified them on May 2 and provided further details on May 6.

Universities and schools worldwide have made similar disclosures regarding the Canvas breach. Given the breadth of potential exposures, the National Cyber Security Coordinator Lieutenant General Michelle McGuinness is now also involved. The minister’s statement and the coordinator’s remarks indicate that the assessment is ongoing and that further information will be shared as understanding of the incident improves.