In May 2019, Canva - the Sydney-based design platform used by millions of Australian teachers and students - suffered a significant data breach. Attackers accessed approximately 137 million user records including email addresses, usernames, names, cities of residence, and bcrypt-hashed passwords. For the general consumer market, bcrypt hashing provides reasonable protection. For schools, the breach exposed something harder to recover from: the personal details of students, some as young as primary school age, held in a cloud platform that most institutions had never formally assessed for data security.
The structural conditions that made Australian schools vulnerable in 2019 remain largely unchanged. Canva for Education is still widely deployed across state school systems. Procurement processes still routinely skip the security vetting steps that every other regulated sector takes for granted. And student data, governed by some of the most sensitive provisions in the Privacy Act 1988, continues to flow into platforms approved through informal channels.
Why Schools Are a Persistent Target
Education departments hold exactly the kind of data that makes attackers pay attention: names, dates of birth, addresses, guardian contact details, and in some cases medical and learning needs information. That data profile maps closely to what is required for identity fraud, and children are attractive targets precisely because fraudulent accounts opened in their name can go undetected for years.
Schools are also structurally exposed. IT budgets are thin, dedicated security staff are rare, and the pressure to adopt free or low-cost tools frequently outpaces any formal security review. Many platforms are adopted at classroom or faculty level without any engagement from IT, let alone a security team. When a breach occurs, notification obligations under Part IIIC of the Privacy Act (the Notifiable Data Breaches scheme) apply to the organisation holding the data, not just the vendor who was compromised.
What the Privacy Act Actually Requires
Australian Privacy Principle 11 (APP 11) requires organisations covered by the Privacy Act to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. For entities collecting student data, reasonable steps is not a vague standard. It includes conducting security assessments of third-party platforms before deployment, establishing data sharing agreements with vendors, and maintaining records of what personal information is held and where.
The Office of the Australian Information Commissioner (OAIC) has been explicit: a vendor breach does not transfer liability away from the entity that collected and shared the data. If a school directed students to create Canva accounts using school email addresses and that data was subsequently compromised, the school carries exposure under the NDB scheme.
For schools operating under state education department governance, the picture is further complicated by individual state privacy legislation including the Victorian Privacy and Data Protection Act 2014 and the NSW Privacy and Personal Information Protection Act 1998, which apply independently of the federal scheme and carry their own notification requirements.
The Systemic Failures the Canva Breach Exposed
The Canva breach was not exceptional in its technical execution. It was exceptional in its scale. What made the impact broad was how many organisations had integrated Canva into their workflows without any formal assessment, any data minimisation controls, or any vendor security assurance process.
That pattern repeats across the education sector. Platforms accumulate user data well beyond what any specific task requires. Accounts are created with real names and school-issued email addresses. Passwords are reused from other accounts students hold. Administrators do not audit third-party access or review what data is retained after a student leaves. None of this is unique to Canva. It describes how dozens of edtech platforms are deployed across Australian schools right now.
What Needs to Change, and Where OziCyber Fits
The core problem is not that schools use cloud tools. It is that they deploy them without the security assessment process that a financial institution or healthcare provider would apply as standard practice. That gap is fixable.
OziCyber works with education sector clients on third-party risk assessment and privacy compliance, helping institutions build a clear picture of what platforms hold student data, what security standards those platforms meet, and what obligations exist under applicable privacy legislation. We also provide incident response support when a vendor breach triggers notification obligations, helping schools understand their exposure, assess what data was affected, and meet their NDB scheme reporting requirements accurately and on time.
Training is equally critical. School staff are the first line of defence when a phishing campaign targeting student accounts is underway. OziCyber's security awareness training is built for non-technical audiences including teachers and administrative staff, covering the specific threat patterns most commonly used against the education sector.
If your school or education department has not reviewed its third-party platform inventory or assessed its obligations under the Notifiable Data Breaches scheme, the Canva breach is the clearest possible demonstration of why that review cannot wait. Contact our team to start the conversation.
