Media statement
On Saturday 4 May 2026, Instructure, international digital education technology company headquartered in North America, informed the University of Canberra (UC) of a security incident that had affected access to their platform Canvas, which is utilised by UC.
Further advice from Instructure received on 6 May 2026, confirmed that the incident was a cybersecurity breach impacting 9000 institutions worldwide, including UC. According to Instructure’s advice, they first became aware of the incident on 25 April 2026. The criminal threat actor was detected on 29 April and their access was revoked. They advised that there have been no further indicators of an ongoing threat.
Instructure has reassured UC that from the moment they detected this malicious activity, they moved quickly to protect their platform and learn what happened.
The advice confirmed that the breach involves the names and university-assigned email addresses used by UC staff and students to access the platform. At this time, they have found that there has been no indication that passwords, government identifiers and financial information have been breached.
Instructure confirmed that they are working with forensic experts, law enforcement agencies and partners to investigate the breach.
UC treats the privacy and security of personal information as a matter of highest importance and is independently monitoring the situation.
As this breach affects 25 Australian and New Zealand universities, UC is part of a coordinated national response involving the National Office of Cyber Security, the Department of Education, and Universities Australia.