13 May 2026

Canvas Cyber Attack

A recent cyber attack involving the widely used online learning platform Canvas has exposed the personal information of millions of students and educators globally, serving as another reminder of the growing risks associated with unmanaged and overexposed information assets.

The breach, linked to cybercriminal group ShinyHunters, impacted almost 9,000 schools and educational institutions and involved the theft of student IDs, email addresses, enrolment information and communications stored within the platform.

While Instructure, the company behind Canvas, says it has reached an agreement with the hackers and received assurances the data will not be publicly leaked or used for extortion, cybersecurity experts warn the incident still creates significant long-term risks.

For records and information managers, the incident reinforces several critical governance lessons:

Sensitive information stored across digital platforms remains a major cyber target
Over-retention of personal information increases organisational risk exposure
Metadata, communications and support systems can become overlooked vulnerabilities
Strong disposal practices and access controls are essential components of cyber resilience
Information governance must be embedded into digital platforms from the outset, not applied retrospectively

Experts have also warned that stolen information may now be used for highly personalised phishing attacks and social engineering campaigns.

As organisations continue accelerating digital transformation and AI adoption, the Canvas breach highlights the growing connection between cybersecurity, privacy and information governance and the increasingly strategic role records and information professionals play in reducing organisational risk.

Read the full article by Monty Jacka published on ABC News, 12 May 2026

Return to listing