ShinyHunters Breach Exposes Queensland School Data in Global Cyberattack Affecting 200 Million

ShinyHunters Breach Exposes Queensland School Data in Global Cyberattack Affecting 200 Million

ShinyHunters Breach Exposes Queensland School Data in Global Cyberattack Affecting 200 Million

The cybercriminal group ShinyHunters has stolen the personal data of every student and teacher registered with Queensland’s state school system, as part of a worldwide ransomware operation that has compromised an estimated 200 million individuals across more than 9,000 institutions globally.

Scope of the Breach

The attack, which came to light on Thursday morning, targeted Instructure, the US-based third-party provider that operates Canvas — the cloud-based learning management platform underpinning Queensland’s QLearn system.

ShinyHunters extracted the names and email addresses of all past and present individuals holding accounts ending in @eq.qld.gov.au and @qed.gov.au, with records dating back to 2020. Several universities have also been caught up in the breach.

What Data Was Compromised

Queensland Education Minister John-Paul Langbroek confirmed that school locations were among the data accessed. However, he stated there was “no evidence of passwords, dates of birth or financial information” being obtained by the attackers.

Government Response

The Queensland Department of Education moved swiftly to strengthen its firewall protections following the attack. Officials attended an emergency online briefing with affected institutions from around the world.

“School principals are in the process of contacting families and teachers to advise them of the breach,” Minister Langbroek said. The department is understood to have issued principals with a pre-approved template for communications, with letters also being dispatched to the last known postal addresses of those affected.

Langbroek added that the department is “providing priority support to families and teachers with known family and domestic violence, or those known to Child Safety” — an acknowledgment that even partial personal data can pose serious risks to vulnerable individuals.

Wider Implications

The incident underscores the systemic risks posed by public institutions’ reliance on third-party cloud providers. With a single vendor compromise cascading across more than 9,000 organisations worldwide, the breach raises pressing questions about due diligence in procurement, contractual security standards, and the adequacy of existing data protection frameworks for the education sector.