The Office of the Australian Information Commissioner (OAIC) is aware of a recent global cyber incident impacting Instructure.
Instructure is an education technology company that owns Canvas, a learning management system.
Education providers, including universities, vocational providers and some state schools in Australia, have been affected.
The National Office of Cyber Security is coordinating the response.
It is important to note that not all educational institutions are covered by the Privacy Act 1988 (Cth). State and territory government schools are usually governed by state privacy laws, and public universities and TAFEs are generally exempt unless they operate as private entities.
Specific enquiries about this cyber breach should be directed to Instructure or your education provider.
How to make a privacy complaint
If you wish to lodge an individual privacy complaint about Instructure or an entity impacted by the cyber breach, you must first lodge a complaint directly with Instructure or that entity.
Organisations covered by the Privacy Act (Cth) must have reasonable complaints handling processes in place. This requirement allows the entity opportunity to deal with your complaint as required by the Privacy Act.
Given the circumstances, the entity should be provided with a minimum of 30 days to enable it to adequately respond to your complaint.
The OAIC has published guidance to assist individuals to make a privacy complaint, should the need arise.
Further information about engaging with an entity to resolve a complaint, and the OAIC's privacy complaints practices, is available on our website.
This includes a guide to assist in complaining to an entity ( Complain to an organisation or agency ), and to help in lodging a privacy complaint with the OAIC ( Lodge a privacy complaint with us ).
More information on the OAIC's complaint processes, including information on the possible outcomes or resolutions is also published online ( How we investigate and resolve your complaint ).
Information for those impacted by the cyber incident
Australia continues to be a target for cyber criminals who seek to exploit stolen data.
There are steps you can take to protect your personal information and online accounts, particularly if you think your information, such as logins or passwords, might have been caught in a cyber incident.
The Australian Government advises three simple steps you can take to be more secure online:
- Set up multi-factor authentication whenever available to add an extra layer of security to your online accounts.
- Create strong and unique passphrases of 14 or more characters long. These passphrases should be different for each account you hold.
- Install software updates regularly to keep your devices secure.
For more information, visit Act Now Stay Secure ( What are you risking online? | Act Now. Stay Secure. )
You can learn how to protect yourself from scams by visiting the National Anti-Scam Centre's (NASC) ScamWatch site ( www.scamwatch.gov.au )
