What the Canvas cyber incident means for the education sector, parents, and students

What is the Canvas breach about?

In late April 2026, Instructure, the US‑based company that operates the Canvas learning management system (LMS), confirmed it had experienced a cybersecurity incident affecting some of its systems. Canvas is widely used by schools, TAFEs and universities across Australia, including state schools.

Based on information released to date, the incident involved unauthorised access to certain user data held within the platform. Early advice indicates that this may include names, email addresses, school locations, student identifiers and messages within Canvas. Importantly, authorities and Canvas have stated that there is currently no evidence that passwords, financial information or government identity details were accessed.

The investigation is ongoing, with Australian education departments and the National Cyber Security Coordinator managing the local response. Schools are being notified through official channels as more information becomes available.

Like many recent incidents, this breach appears to have originated outside individual schools, through a third‑party technology provider used at global scale. That distinction matters when thinking about what schools should and should not do next.

Why response matters

For school communities, incidents like this are unsettling. Parents worry about their children’s information. Teachers worry about systems they rely on daily. Principals and senior management suddenly find themselves at the centre of uncertainty, without all the answers.

From BDO’s experience supporting organisations through similar third‑party breaches, one thing is clear: confidence is shaped by how the incident is handled. Schools don’t need to speculate, panic or overwhelm families with technical explanations. What communities need most is clarity, consistency and reassurance.

The most effective school responses tend to focus on three things:

• Clear, early communication
  Explain what is known, what is still being investigated, and when updates will be provided. Avoid speculation.
• Practical guidance people can act on
  Parents and teachers don’t need deep technical detail. Short, plain‑English checklists work best.
• Trusted external advice
  Direct families to established Australian Government guidance such as cyber.gov.au, myGov and the Office of the Australian Information Commissioner, rather than social media commentary.

Schools cannot always prevent cyber incidents involving third‑party platforms, but they can control how they respond. In moments like this, calm, transparent leadership builds trust.

Practical checklist: Turning leadership principles into actions

The checklists below turn these principles into simple, practical actions for school leaders, staff and parents. They focus on what to do now and draw only on trusted Australian Government guidance.

For principals and school leadership teams

Focus: communication, coordination and care

• Confirm official advice from your education department and the vendor (avoid speculation)
• Communicate early with families and staff:
  • what is known
  • what is not yet known
  • what people should do now
• Provide short, practical guidance (see below)
• Prioritise support for vulnerable families where required
• Keep a simple record of key decisions and communications.

For Boards and senior management

Focus: oversight and reassurance

• Confirm high‑level facts about the incident using advice from management, the education department and the vendor 

• Ensure the school response focuses on student, staff and parent impacts, not technical detail 

• Satisfy yourself that clear, timely communications are being issued to families and staff 

• Confirm management is directing people to trusted government guidance rather than informal sources 

• Ensure appropriate support arrangements are in place for vulnerable or at‑risk families 

• Request that key decisions and communications are documented for later review 

For school IT teams (non‑technical actions)

Focus: system hygiene and reassurance

• Follow guidance from your education department and system vendors
• Review user access (remove accounts that are no longer required)
• Ensure multi‑factor authentication is enabled where already supported
• Brief staff to be alert for phishing or scam messages referencing the breach
• Avoid unnecessary disruption such as blanket password resets unless advised.

For teachers and school staff

Focus: vigilance and calm reassurance

• Be cautious of emails or messages referencing the breach
• Do not click links or provide information unless confirmed through official channels
• Change passwords if reused elsewhere
• Enable multi‑factor authentication where available
• Reassure students using guidance provided by the school.

For parents and carers

Focus: protection without panic

• Be wary of scam emails, texts or calls claiming to “help” after the breach.
• Go directly to official school or government websites for updates.
• Secure online accounts:
  • change reused passwords
  • switch on multi‑factor authentication where possible
• Talk to children about not responding to unexpected messages.

A measured but important reminder

Large‑scale incidents involving widely used platforms highlight that cyber risk increasingly sits outside institutional boundaries. While technology controls matter, clear communication, informed users and preparedness for incidents remain critical to maintaining trust.

How BDO can help

BDO’s cyber security team works with education providers to strengthen cyber resilience across prevention, response and recovery. Get in touch for support to assess third‑party risk, improve phishing resilience, test incident response readiness, and communicate clearly with regulators and affected communities when incidents occur.