Statement relating to the Canvas cyber incident

 

The Privacy Commissioner is aware of a recent cyber incident regarding Canvas, a cloud-based Learning Management System (LMS) for education. The Commissioner is aware that this incident is affecting education entities including New South Wales (NSW) universities and some public schools who use the platform. 

Any NSW public university or public school that has reason to believe they have been affected by this incident should immediately undertake a data breach assessment in accordance with their obligations under Part 6A of the Privacy and Personal Information Protection Act (PPIP Act) to determine whether an eligible data breach has occurred. 

The NSW Mandatory Notification of Data Breach (MNDB) Scheme mandates reporting obligations for NSW public sector agencies. This includes notifying the Privacy Commissioner, as well as taking steps to notify affected individuals, where a data breach is likely to result in serious harm to individuals whose personal information is involved.

Members of the public who have concerns that their personal information may be involved in the incident, should approach their educational institution in the first instance. 

There are steps you can take to protect your personal information and online accounts, particularly if you think your information, such as logins or passwords, might have been caught in a cyber incident. They include:

  • Set up multi-factor authentication whenever available to add an extra layer of security to your online accounts.
  • Create strong and unique passphrases of 14 or more characters long. These passphrases should be different for each account you hold.
  • Install software updates regularly to keep your devices secure.

Reports about this incident may be understandably distressing to those who may be affected. If a data breach causes distress, there is support and resources available. Anyone concerned for their safety should contact NSW Police.

The IPC does not comment on the details of individual matters. Investigations of incidents are undertaken independently by the agency involved with reporting obligations required under the MNDB Scheme.

 

ENDS

 

For further information, please contact:

The Manager, Communications and Corporate Affairs on 0435 961 691 or email communications@ipc.nsw.gov.au

About the Information and Privacy Commission:

The Information and Privacy Commission NSW (IPC) is an independent integrity agency that supports the NSW Information Commissioner and the NSW Privacy Commissioner.  Its vision is that privacy and access to government information are valued and protected in NSW. The Information Commissioner is the chief executive of the Commission. 

About the NSW Privacy Commissioner

Ms Sonia Minutillo was appointed as the Privacy Commissioner in March 2025. As Privacy Commissioner, her role includes the promotion of public awareness and understanding of privacy rights in NSW, as well as providing information, support, advice and assistance to agencies and the public.

The Privacy Commissioner administers the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act).

For further information about the IPC visit our website at www.ipc.nsw.gov.au 

IPC Statement - Statement relating to the Canvas cyber incident 12 May 2026
Aboriginal and Torres Strait Islander Flags
We acknowledge Aboriginal and Torres Strait Islander peoples as custodians of Australia and pay our respects to Elders, past and present. We also acknowledge the ongoing connection to land, sea and communities throughout Australia, and the contributions to the lives of all Australians. 

IPC logo.

© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use