Hacked: University of Newcastle student, staff data compromised

by · Newcastle Herald
Hackers have accessed millions of students data after breaking into a learning system used by universities across the world. Image: file

University of Newcastle student and staff data has been compromised after hackers targeted a learning management system used by millions across the world.

A hacking group calling themselves ShinyHunters has taken responsibility for a cyber attack on tech giant Instructure, the company behind the popular Learning Management System (LMS) Canvas.

The hacking group claims it has accessed data for 275 million teachers and students across more than 9000 universities and schools.

On May 1, Instructure released a statement advising they had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor" and were actively investigating this incident with the help of outside forensics experts.

On May 2, it advised the incident had been contained. The company said it would continue to monitor its platforms and investigate how the cyber attack occurred.

Instructure said it patched its security system, revoked certain credentials and access tokens, and rotated API keys "out of an abundance of caution."

Canvas is used by a number of universities across Australia and the world, including the University of Newcastle.

Exposed data appears to include names, emails, student IDs, and user messages.

There is no evidence so far of passwords or financial data being compromised.

The university was advised by Instructure it was among the institutions impacted by the breach.

In an email to staff on Wednesday, the university advised that unauthorised access to Canvas has resulted in the theft of data associated with some accounts.

"While the investigation is ongoing, they have confirmed that the affected data includes, student names and university email addresses, student ID numbers, and some content stored within Canvas, such as messages and course-related information," the message said.

"At this time, the vendor reports they have found no evidence that passwords, dates of birth, government identifiers, or financial information are involved."

The university said it has taken immediate action to secure all system connections, audit administrative access, and reset relevant credentials.

"We are also in contact with national cybersecurity agencies and we will continue to monitor our systems closely for any suspicious activity."

The university said while the information accessed was limited, there was a heightened risk for targeted phishing attempts on students and teachers advising them to take measures such as changing passwords, reporting suspicious communications, and setting up multi-factor authentication.

In 2024 ShinyHunters took responsibility for a hack on global event giant Ticketmaster claiming to have accessed more than 500 million individuals' information.