*This article's newsletter headline incorrectly referenced Canva as the target of the cyber breach and not Canvas. The Educator apologises for this typo and the web version of the article has since been updated accordingly.
Earlier this month, the Queensland Government confirmed that hackers accessed tens of thousands of names, email addresses, student ID numbers and private messages sent through Canvas, one of the world's most widely used learning management systems.
Fortunately, Instructure, the U.S company behind Canvas, has confirmed there is no evidence that passwords, dates of birth, financial information, or government identifiers were compromised, and the stolen data has not yet been made public.
The cyber breach has been a major wakeup call for schools, TAFEs and universities.
Research from leading cybersecurity company Proofpoint reveals that nearly three quarters (73%) of schools and over three in five (66%) of universities currently lack industry-recommended email authentication controls, such as DMARC at ‘reject’ levels and is warning that much of Australia’s education sector remains exposed to threats.
According to the research, 73% of the top 100 Australian private schools are not using recommended email protections, leaving them highly susceptible to email spoofing, impersonation and phishing.
Worryingly, 6% of schools do not have any DMARC record at all, placing them at significantly increased risk of email fraud and domain spoofing attacks.
Cybersecurity experts warn that breaches like this rarely end with the initial attack. Even when highly sensitive details such as passwords or financial data are not exposed, stolen names, email addresses and internal communications can still be valuable to cybercriminals.
In many cases, that information is later used in phishing scams, impersonation emails or highly targeted attempts to trick students, staff and families into handing over further personal information.
What should impacted staff and students look out for?
Tony Anscombe, ESET's Chief Security Evangelist, says the biggest danger now may not be the stolen data itself, but how cybercriminals choose to weaponise it in the weeks ahead.
“If, as reported, the breached data is limited to names, email and school location the most likely immediate use of the data by cybercriminals will be to create a phishing campaign with a call to action to gather more data from the victims,” Anscombe said.
“The emails could take the form of a breach notification, request to change password or to register for identity protection services, all of which, if real, would require additional personal details making the malicious email request contextual. A basic rule is do not respond directly to any link in email regarding this topic, go to the university website directly and follow official guidance offered.”
Anscombe said university and school systems are attractive targets for hackers because they often have very personal and sensitive data of students and staff.
“For example, student data can include medical conditions and medications, and financial details for billing purposes,” he said.
“This rich set of data has value to the cybercriminals, both in extorting an organization in order not to offer it for sale, or directly in identity theft or digital fraud.”
Anscombe cautioned that while early reports suggest that only minimal data has been compromised, it may turn out that additional data – such as date of birth, and possibly even passwords – might have been exfiltrated.
“As a precaution I recommend that if students or staff have used the same password, or similar, on multiple sites they immediately take action and change the passwords and where possible activate multi-factor authentication.”
How schools can minimize the risk of being hacked
Anscombe said universities and schools should follow a recognized cybersecurity framework to ensure the highest level of security posture is achieved.
“This will include technologies such as endpoint detection and response, multi-factor authentication, identity access management, vulnerability and patch management and such like,” he said. “Following a framework will ensure that all corners of the organization are considered and secured.”
However, third-party data breaches such as this one are, unfortunately, a reality, said Anscombe.
“Universities and schools need to ensure that any provider they contract with that may either have access to school systems or provide student and staff services follow the same strict cybersecurity practices and policies that are in place internally,” he said.
“There should be frequent audits to ensure compliance, and this should not just be in the form of a questionnaire once per year.”
Another precautionary measure to help mitigate the risk of identity theft is to lock credit records, said Anscombe.
“All the major agencies offer the ability to lock or freeze credit records, stopping any activity from a malicious party. This is a free service. The record can be unlocked at will by the holder if needed.”
Sam Spencer data expert and adjunct professor at the University of Canberra, said the key to protection is robust data governance.
“In a recent study we ran with the research agency Public Spectrum, 25% of public servants' departments did not believe they had adequate data security and 50% struggled to find data,” Spencer said.
“This tells us that the government needs to get better at governing its data. This story is another case where chief data officers where the first time they know about the data they have in the news.”
Spencer said it’s important to remember that this isn’t the first time students have been victims of a data breach this year.
“A similar breach happened in Victoria earlier this year. The real risk is what I call ‘data revictimisation,’ where someone is a victim of multiple data breaches, and data across those leaks can be connected to learn more about that person than a single attack,” he said.
“Victorian students impacted across multiple breaches are at an even higher risk, and may not even realise it.”