Tasmanian students, teachers and school staff may have had personal information stolen in a global cyberattack on the Canvas learning platform, used by both the Department for Education, Children and Young People and TasTAFE.
Canvas owner Instructure confirmed on May 2 that user data was exposed in the breach, which it first disclosed two days earlier.
The notorious extortion gang ShinyHunters has claimed responsibility, listing Instructure on its dark web leak site with a “pay or leak” ultimatum.
DECYP told parents in a statement it had been “notified of a cyber security incident” affecting Canvas, which it uses to deliver and track learning across Tasmanian schools and colleges.
“Investigations commenced immediately and are ongoing,” DECYP said.
“At this stage, while DECYP has been identified as being impacted by the cyber security incident, the specific impact of the incident is subject to further investigation by Instructure.”
“DECYP has not been informed if any Tasmanian data has been obtained. We will provide an update if this changes.”
The department said Canvas, which is used to deliver, manage and track learning, was running normally and learning had not been disrupted.
DECYP has also activated cyber response governance arrangements and said investigations into the incident are ongoing.
Instructure has confirmed the stolen data includes names, email addresses, student ID numbers and messages exchanged between users.
The company says there is no evidence passwords, dates of birth, government IDs or financial information were taken.
ShinyHunters claims the haul is far bigger, alleging it stole 3.65 terabytes of data covering 275 million people across nearly 9,000 schools worldwide.
DECYP urged Tasmanians to stay alert for scams and suspicious messages.
“Should any sensitive or personal information be affected, DECYP will work with Instructure to manage harm and ensure that those affected are notified as soon as possible and offered assistance and support as required,” it said.
