What happened
In May 2026 the Queensland Department of Education confirmed that students and staff had been affected by a data breach involving its third-party learning-management platform, Instructure Canvas (branded locally as “QLearn”) [qde-cyberdaily]. The Education Minister said the exposed information included names, email addresses, school locations, student ID numbers and user messages, and that there was no evidence that passwords, dates of birth or financial information had been accessed [qde-cyberdaily], [qde-indaily]. The incident was reported as part of a wider campaign attributed to the group known as ShinyHunters — an attribution that comes from the attackers’ own claims and media reporting [qde-cyberdaily].
Timeline
- 2026-05 — The breach of the Instructure Canvas platform was reported and attributed by media to ShinyHunters [qde-cyberdaily].
- 2026-05-07 — The Queensland Education Minister issued a public statement confirming the impact on students and staff [qde-indaily].
Current status
Disclosed. Schools were notifying affected families. No confirmed count of affected Queensland individuals has been published — figures cited for the underlying Canvas platform refer to its global user base, not to Queensland, so no figure is asserted here [qde-cyberdaily], [qde-indaily].
Why it matters
A state education department holds data on hundreds of thousands of children, and a breach reached through a shared learning platform shows how a single third-party system can expose an entire school sector at once.