Hundreds of thousands of students have been left unable to access schoolwork or submit assessments, with some receiving ransom messages following a global cybersecurity hack. 

On Thursday, universities, TAFEs and public schools in at least two states were left scrambling to respond to the global breach of the cloud-based Canvas learning management system, which was hacked on May 2. 

Almost 9,000 institutions worldwide are clients of the system developed by United States company Instructure, which is based in Salt Lake City, Utah. 

Cybersecurity industry website BleepingComputer said notorious hacking group ShinyHunters had claimed responsibility for the breach.

On Friday, some students and teachers attempting to log into Canvas were greeted with a message from ShinyHunters, seen by the ABC, claiming a second hack had taken place and demanding a ransom.

“ShinyHunters has breached Instructure [again],” the statement read.

“Instead of contacting us to resolve it, they ignored us and did some ‘security patches’.”

The statement included exhortations for Instructure and educational institutions to contact ShinyHunters and “negotiate a settlement”.

Among providers confirmed to have been affected are state schools in Queensland and Tasmania, universities in New South Wales, Queensland and South Australia and TAFE in Tasmania.

QUT student Abriana Doherty was going into exam block in her second year of biomedical science, and said the system outages were affecting her study.

“I was supposed to go into class this morning and I was going to do some revision before going, and I just couldn’t do anything, which was really frustrating,” she said.

She said her practical class still went ahead despite the software issues.

First-year property economics and business student Ekansh Alla said he needed to contact a lecturer because he had an assessment due on Friday afternoon.

“I was trying to access [Canvas] this morning to check my lectures, submit some assignments, but it was down for maintenance,” he said.

“I heard it got hacked recently, so I don’t know if it’s to do with that.

“Probably is.”

As of 9:21pm, May 7, local time (1:17pm, May 8, AEST) Instructure reported that Canvas was available for most users.  It is unclear when the learning systems could be completely back online. 

Instructure said in a statement it had discovered an “unauthorised actor” had made changes to the pages that appeared when some students and teachers logged in. 

“Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate,” the statement said. 

“We have confirmed that the unauthorised actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts.”

In a statement published to social media, National Cyber Security Coordinator Michelle McGuinness said it would take some time before the full impacts of the compromised data were understood. 

“My team is working closely with state and territory governments and education peak bodies to collectively address the impacts arising from this incident,” she said. 

“Despite the disruption caused by this incident, I understand affected education institutions remain open. Institutions will contact students and staff directly if they experience any interruptions to service delivery as a result of the incident.”

She said her team was not aware of any personal identification documents or financial information being compromised. 

“As with any incident, Australians should not go searching for data on the dark web or engage with the threat actor — these actions only feed the business model of cybercriminals.”

Expand the cards below for more information about impacted states. 

Queensland

Read more

Queensland Department of Education staff were advised in an email on Friday morning by Deputy Director-General of Digital Innovation Darrin Bond that the Canvas platform was unavailable and access to QLearn had been rescinded. 

The state’s education minister John-Paul Langbroek said QLearn was shut down as a “preventative action”.

“That’s something that people should also be reassured about, that it’s important that we took that preventative action,” he said. 

He stressed that the information obtained in the breach did not include financial information or passwords, and had not yet been leaked.

“We’ll continue to work with our chief information officers across government, then of course between governments if we can get a federal response.”

Mr Langbroek said there were alternatives in place to enable learning to continue without the QLearn infrastructure, and universities were likely more heavily affected than schools. 

Queensland Teachers Union president Cresta Richardson said the shutdown of QLearn would increase workloads and stress on students and staff.

“I think when we’re talking about workload management, we know that our teachers are really flexible, but this certainly creates [a] significant workload increase, not only for teachers, but for students as well,” she said.

“This is just another failure that creates a new level of stress for teachers and students that they just don’t need at the moment.”

She urged the government to continue to provide updates to the education community.

“I think that the government need to fix the problem and fix it quickly, but they also need to be reporting to the community on what’s happening and what’s being done to protect our teachers.”

Students at Griffith University received emails on Friday morning offering extensions on assessment pieces due to the software breach. 

A QUT spokesperson said overnight, Instructure removed access to their system globally, including QUT’s Learning Management System, Canvas. 

“QUT is working to reduce disruption to teaching, learning and assessment, and will keep students and staff informed as information becomes available,” they said. 

Tasmania

Read more

Tasmania’s Department for Education, Children and Young People acting secretary Ross Smith said Instructure had advised the names, email addresses and school locations for staff and students since 2020 may have been implicated in the incident. 

“We have received repeated assurances that financial information and passwords are not at risk,” he said. 

“While investigations continue, if this information is released one of the most immediate risks will be phishing and scam activity using compromised contact information.

“DECYP’s priority is supporting schools with learning continuity and providing schools, parents, carers and students with advice about how to keep their online information safe.”

He said the department was continuing to work closely with cybersecurity authorities and the third-party provider as investigations continue. 

New South Wales

Read more

University of Technology Sydney is also experiencing outages, and said in a statement access to Canvas had been “temporarily disabled”.

The university said automatic extensions had been granted until Monday for any assessment due today.

Students have been warned not to attempt to log into Canvas, and to keep an eye out for phishing and scam emails. 

Victoria

Read more

Students at Royal Melbourne Institute of Technology have been told their systems are also affected by the breach, and been given a week-long extension on assessment items. 

“We are working together across Commonwealth and State and Territory government departments and operational agencies, with peak bodies and impacted organisations to collectively support the national response to this incident,” an email to students read.