Victorian school students and universities caught up in global cyber hack

Schools, universities and other educational institutions across Victoria have been caught up in an international cyber hack in which criminals are holding sensitive information to ransom.

Hackers accessed Canvas, a popular off-the-shelf educational management and communications system, which is used by about 9000 institutions globally.

Canvas’ operators say the hackers – who are calling themselves ShinyHunters – may be in possession of “identifying information”, including names, email addresses and student ID numbers, as well as messages between teachers, students and parents.

The University of Melbourne told students and staff on Thursday that Canvas advised the institution some of its data has been involved in this breach, while RMIT University said it was still working with US-owned Canvas to determine if any of its data had been stolen.

Parents at Melbourne Grammar were also told on Thursday afternoon that it been advised of the hack. The top private school sought to reassure families that it did not believe any student data had been stolen.

The hackers are reportedly claiming to have stolen 3.65 terabytes of data – including billions of private messages sent between students and teachers – and are demanding an undisclosed ransom from Canvas’ parent company, Instructure.

It was not clear on Thursday how many institutions across the state have been impacted by the mass hack.

Victoria’s 1570 government schools use the Australian-based Compass learning management system – which has no commercial or technological links to Canvas – and have not been affected by the hack.

The Melbourne Archdiocese Catholic Schools group was also assessing if any of its schools’ data had been compromised.

Australia’s National Cybersecurity Co-ordinator, Michelle McGuinness, confirmed in a LinkedIn post that the hack had occurred, and advised families to be on the lookout for suspicious emails and other online communications.

“If you think you may be impacted by this breach, the best way you can protect yourself is to not respond to unsolicited contact,” McGuinness wrote.

“Criminals use personal information from data breaches to trick victims into revealing further information that can be used to access your accounts elsewhere, including with financial institutions.”

Melbourne Grammar headmaster Phil Grutzner said the school believed the data of families with children at the school had not been accessed, but urged online caution.

“If your data has been accessed, phishing is the most likely consequence,” Grutzner wrote.

The Canvas breach comes on the back of an unprecedented cyberattack in January in which the data of thousands of Victorian students was exposed, and students’ names and addresses held by the Victorian Department of Education were accessed by a third party through a school network.

Last year, data belonging to families and graduates of Scotch College was also exposed after the private school’s IT system was hacked.

Cybersecurity and compliance company ProofPoint said educational institutions were highly attractive targets for cyber criminals because they held large amounts of personally identifiable information on students, staff, and alumni.

Despite the increase in attacks, most of Australia’s top schools and universities are still not securing their email communications to industry-approved standards, according to ProofPoint senior director Steve Moros, citing research earlier this year by his company.

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.