The recent breach involving the widely used Learning Management System (LMS) platform Canvas is more than another cyber incident. It is a reminder that schools and universities remain accountable for protecting student information, even when that data sits inside platforms they do not directly control.
A Learning Management System (LMS) is a digital platform used across education to manage teaching, assessments, communication and student learning activities. These platforms often contain significant volumes of sensitive information, including student records, grades, attendance data, behavioural information, wellbeing records, communications, login activity and long-term learning history.
Modern LMS environments rarely operate in isolation. Many schools and universities now have dozens of connected third-party applications integrating into platforms such as Canvas by Instructure. These integrations can involve assessment systems, collaboration tools, student management platforms, analytics engines, video services and AI-enabled learning applications, creating continuous flows of student records, communications, behavioural analytics, grades and learning metadata across increasingly complex digital ecosystems.
For many institutions, Canvas is deeply embedded into day-to-day teaching, assessment and student engagement workflows. When a platform of this scale experiences a security incident, the impact extends well beyond technology alone, raising broader questions around governance, operational resilience and institutional oversight.
The threat actor group ShinyHunters has reportedly claimed responsibility for the incident, alleging the exfiltration of approximately 3.65TB of data impacting roughly 9,000 institutions worldwide.
Educational data is inherently sensitive. In many cases, records may need to be retained for decades under Australian retention and delayed disclosure obligations. The incident is also highlighting a broader issue across the sector, as Governance maturity around data handling within education often lags behind other regulated industries, despite schools and universities managing large volumes of highly sensitive information.
Questions institutions should now be asking include:
- Do we truly know what student data exists across our LMS and ed-tech environments?
- Can we clearly map where sensitive information resides and who has access to it?
- Are retention and deletion practices actually being enforced?
- Do we have visibility into third-party data flows, analytics and AI-enabled platforms?
- Could we confidently demonstrate duty of care if challenged by regulators, parents, students or the broader community?
Several Australian institutions have already acknowledged investigations or potential exposure associated with the breach, including RMIT University, Flinders University, the Queensland Department of Education, TasTAFE and The Anglican Schools Corporation.
Australian Privacy Principles obligations
Under the Australian Privacy Principles, within the Privacy Act (Cth):
- APP 3 requires organisations to only collect personal information that is reasonably necessary and to do so lawfully and fairly.
- APP 5 requires organisations to clearly notify individuals about what information is collected, why it is collected, how it will be used and who it may be disclosed to.
- APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss or unauthorised access, and to destroy or de-identify information when no longer required.
These obligations are highly relevant in LMS and ed-tech environments where large volumes of sensitive student and staff information may be shared across multiple integrated platforms and service providers.
The breach also arrives as Australian privacy reforms introduce stronger transparency expectations around automated decision making (ADM) and AI-driven processing, including updated privacy policy obligations expected from 10 December.
Hosting student information with a third party does not remove institutional responsibility for governance, privacy and lifecycle management. Schools and universities should be continuously assessing visibility, retention, operational resilience and oversight across their broader ed-tech environments.
Practical steps institutions should now be considering:
- Minimising unnecessary data retention
- Enforcing strong identity controls such as multifactor authentication (MFA)
- Improving visibility of third-party data handling, analytics and AI processing
- Reviewing contractual and vendor governance obligations
- Establishing clear breach communication and response plans before incidents occur
- Ensuring defensible retention and deletion practices exist across both paper and digital records
- Reviewing privacy policies and disclosures relating to AI and automated decision making
The reality is simple – schools and universities are increasingly custodians of vast volumes of highly sensitive lifelong information. Parents, regulators, students and communities will increasingly expect institutions to demonstrate not only educational excellence, but measurable governance, accountability and care in how that information is protected.
Privacy, governance and operational resilience are no longer secondary technology concerns. They are rapidly becoming core components of institutional trust.
Resources:
Australian educational facilities impacted as ‘criminal’ hacks Canvas learning platform – ABC News
Leave a Reply