• Home
  • cyber
  • Instructure, Harvard, Victoria University of Wellington and Stanford: New Zealand students' details caught up in massive global university hack
cyber Cyber Attack

Instructure, Harvard, Victoria University of Wellington and Stanford: New Zealand students' details caught up in massive global university hack

May 7, 2026 3 min read
Instructure, Harvard, Victoria University of Wellington and Stanford: New Zealand students' details caught up in massive global university hack

Global Cyberattack Disrupts New Zealand Universities, Exposes Student Data

A widespread cyberattack targeting Instructure, the third-party provider behind the Canvas learning platform, has left thousands of students and staff across New Zealand unable to access course materials, submit assignments, or communicate with tutors. The breach, which also impacted U.S. universities including Harvard and Stanford, has raised concerns over the exposure of sensitive student data.

Key Details of the Incident

  • Who was affected? Universities in New Zealand including the University of Auckland, AUT, and Victoria University of Wellington as well as institutions in the U.S. reported disruptions.
  • What was compromised? While universities confirmed their own systems remained secure, the breach exposed names, email addresses, student ID numbers, and private messages exchanged on Canvas. No passwords or assessment data were reportedly accessed.
  • When did it happen? The attack surfaced on Thursday (May 9), with universities scrambling to implement workarounds by Friday (May 10).
  • Why did it happen? The hacking group behind the attack claimed Instructure had previously ignored their demands, prompting the breach. They threatened to release stolen data by May 12 unless affected institutions negotiated a settlement.

Impact on Students and Institutions

  • Disrupted learning: Students like Tyler Jones from the University of Auckland faced delays in accessing lectures, readings, and assignment materials, with some assessments canceled or extended.
  • Privacy concerns: While many students dismissed the risks, experts warned that exposed messages could contain sensitive personal information.
  • University responses: AUT and the University of Auckland advised staff to log out of Canvas and assured extensions for affected assignments. AUT confirmed no submissions would be required while the platform was down.

Global Reach of the Attack

Canvas is used by 9,000 education systems worldwide, making this one of the largest recent cyber incidents targeting academic institutions. The hackers’ message, visible to users attempting to log in, accused Instructure of failing to address prior vulnerabilities, escalating the breach into a ransom-style extortion attempt.

The full extent of the data exposure and the hackers’ next moves remain unclear as institutions assess the fallout.

Source: https://www.rnz.co.nz/news/education/594635/university-of-auckland-and-aut-s-online-learning-system-hit-by-hackers

Instructure TPRM report: https://www.rankiteo.com/company/instructure-inc-

Harvard TPRM report: https://www.rankiteo.com/company/harvard-university

Victoria University of Wellington TPRM report: https://www.rankiteo.com/company/victoria-university-of-wellington

Stanford TPRM report: https://www.rankiteo.com/company/stanford-university

"id": "stavicinshar1778218101",
"linkid": "stanford-university, victoria-university-of-wellington, instructure-inc-, harvard-university",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Thousands of students and staff',
                        'industry': 'Education',
                        'location': 'New Zealand',
                        'name': 'University of Auckland',
                        'type': 'University'},
                       {'customers_affected': 'Thousands of students and staff',
                        'industry': 'Education',
                        'location': 'New Zealand',
                        'name': 'AUT (Auckland University of Technology)',
                        'type': 'University'},
                       {'customers_affected': 'Thousands of students and staff',
                        'industry': 'Education',
                        'location': 'New Zealand',
                        'name': 'Victoria University of Wellington',
                        'type': 'University'},
                       {'industry': 'Education',
                        'location': 'United States',
                        'name': 'Harvard University',
                        'type': 'University'},
                       {'industry': 'Education',
                        'location': 'United States',
                        'name': 'Stanford University',
                        'type': 'University'},
                       {'customers_affected': '9,000 education systems '
                                              'worldwide',
                        'industry': 'Education Technology',
                        'location': 'Global',
                        'name': 'Instructure (Canvas)',
                        'type': 'EdTech Provider'}],
 'attack_vector': 'Third-party provider (Instructure/Canvas)',
 'customer_advisories': 'Students informed of disruptions and extensions; '
                        'assurances of no submissions required during downtime',
 'data_breach': {'data_exfiltration': 'Threatened to release stolen data by '
                                      'May 12, 2024',
                 'personally_identifiable_information': 'Yes (names, email '
                                                        'addresses, student ID '
                                                        'numbers)',
                 'sensitivity_of_data': 'Moderate (PII but no passwords or '
                                        'assessment data)',
                 'type_of_data_compromised': ['Names',
                                              'Email addresses',
                                              'Student ID numbers',
                                              'Private messages']},
 'date_detected': '2024-05-09',
 'date_publicly_disclosed': '2024-05-09',
 'description': 'A widespread cyberattack targeting Instructure, the '
                'third-party provider behind the Canvas learning platform, has '
                'left thousands of students and staff across New Zealand '
                'unable to access course materials, submit assignments, or '
                'communicate with tutors. The breach also impacted U.S. '
                'universities including Harvard and Stanford, raising concerns '
                'over the exposure of sensitive student data.',
 'impact': {'brand_reputation_impact': 'Privacy concerns, disrupted learning, '
                                       'potential long-term trust issues',
            'data_compromised': 'Names, email addresses, student ID numbers, '
                                'private messages',
            'downtime': 'Disruptions from May 9, 2024, with workarounds '
                        'implemented by May 10, 2024',
            'identity_theft_risk': 'Moderate (exposed PII but no passwords or '
                                   'assessment data)',
            'operational_impact': 'Inability to access course materials, '
                                  'submit assignments, or communicate with '
                                  'tutors; canceled or extended assessments',
            'systems_affected': 'Canvas learning platform'},
 'initial_access_broker': {'entry_point': 'Instructure/Canvas platform'},
 'investigation_status': 'Ongoing',
 'motivation': 'Extortion (ignored prior demands, threatened data release)',
 'post_incident_analysis': {'root_causes': 'Instructure allegedly ignored '
                                           'prior vulnerabilities/demands'},
 'ransomware': {'data_exfiltration': 'Threatened',
                'ransom_demanded': 'Settlement negotiation (unspecified '
                                   'amount)'},
 'references': [{'source': 'Cyber incident report'}],
 'response': {'communication_strategy': 'Advisories to students and staff; '
                                        'assurances of no submissions required '
                                        'during downtime',
              'containment_measures': 'Universities advised staff to log out '
                                      'of Canvas; extensions for affected '
                                      'assignments',
              'incident_response_plan_activated': 'Yes (workarounds '
                                                  'implemented)'},
 'stakeholder_advisories': 'Universities advised staff to log out of Canvas; '
                           'extensions for assignments',
 'threat_actor': 'Unknown hacking group',
 'title': 'Global Cyberattack Disrupts New Zealand Universities, Exposes '
          'Student Data',
 'type': 'Data Breach, Ransomware Extortion'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.