Notifiable data breaches

Notifiable data breaches

From 1 January 2027, we are required by law to tell you if your personal data has been involved in a data breach.

A data breach occurs when sensitive or personal information is accessed, disclosed or exposed to unauthorised people. This may be by accident, or the result of a security breach.

Notifications of eligible data breaches will be published on this page to support transparency and provide you with access to information about incidents that may impact your personal information.

To raise concerns, refer to complaints.

The Department of Education is aware of a recent cybersecurity incident in May 2026 involving the Canvas learning management system.

Instructure, the provider of Canvas, confirmed the Department is among those affected by the incident.

We understand that personal information, including name, email address and employee number, may be impacted.

Importantly, there is no indication that passwords, dates of birth or financial information were accessed.

We are working closely with the vendor and the Office of Digital Government to understand what data was involved and confirm if any WA schools have been impacted.

While there is no immediate action required, we encourage you to maintain a heightened awareness of potential scam activity by:

  • staying mindful and alert when receiving unexpected messages or contact
  • avoiding clicking on links in emails, texts or messaging apps unless you’re sure they’re trustworthy
  • being especially cautious if messages offer some financial benefit, ask you to download a file or entice, coerce or threaten you to take a specific action
  • understanding that your employer, financial institution and other legitimate organisations would not send you a link requiring you to disclose personal identity or financial details
  • using unique, strong passphrases.

We will provide updates if more information becomes available.

Published: 10 July 2026.