The cyberattack on the Canvas learning management system has underscored the need for “national sovereignty” of data storage, according to the University of Canberra’s vice-chancellor.

Bill Shorten, a former federal cabinet minister, said the hack of Canvas creator Instructure – thought to have impacted over 200 million people working or studying at almost 9,000 schools, colleges and universities globally – warranted a “conversation” about whether critical datasets should be stored in ߣߣ��Ƶ.

“How is it that…there’s a breach into one system, and all of a sudden, all the data in ߣߣ��Ƶ is compromised? There’s a national sovereignty argument about where we store our data, and universities need to be part of that conversation.

“Are we happy with critical education information being stored overseas? I haven’t got a view on the ultimate answer on that, but [this is] certainly a wake-up call. We…need some gatekeeping.”

ߣߣ��Ƶ

Instructure said the attack, which had alarmed thousands of customers around the globe, appeared to have been “resolved” by 6 May. But further turmoil in the system forced the complete shutdown of the platform in many institutions, including some 25 ߣߣ��Ƶn universities.

It created mayhem across the US, where over 40 per cent of higher education institutions reportedly use Canvas. Many universities postponed exams and final project due dates, according to .

ߣߣ��Ƶ

The company eventually paid an undisclosed ransom to the hackers, thought to be a group called “ShinyHunters”, who returned the data and provided “digital confirmation” that any copies had been destroyed. “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” an says. “This agreement covers all impacted Instructure customers.”

In a subsequent update, CEO Steve Daly offered an emphatic apology for the company’s decision to “get the facts right” before speaking publicly. “That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. Rebuilding trust takes time. We’re going to earn it back through consistent action and honest communication.”

American cybersecurity expert Cliff Steinhauer said communication was not the company’s only problem. “Paying a ransom in a case like this can create a dangerous feedback loop where attackers are effectively rewarded for successful breaches,” said Steinhauer, director of information security and engagement at a non-profit organisation called the National Cybersecurity Alliance.

“When criminals claim they’ve deleted stolen data…there is no reliable way to verify those claims. Data is often retained, resold or used in future extortion attempts. A longer-term exposure problem can resurface months or years later, often with no additional leverage to prevent it.”

ߣߣ��Ƶ

The Canvas breach highlights the risks of centralised digital platforms that keep day-to-day academic operations running, Steinhauer said. “Even if highly sensitive financial information was not exposed, educational records, communications and identity data can still be valuable to cybercriminals for phishing, impersonation and future attacks. Compromising a single platform can provide access to thousands of organisations at once.”

Shorten said he had become apprised of these risks while serving as minister for government services, with responsibility for the agency Services ߣߣ��Ƶ. Criminal outfits sought to obtain data which seemed fairly benign, such as institutional email addresses, and harnessed the information to create “data points” and virtual “characters” for use in more sophisticated phishing attacks.

He said storing university data onshore would not solve “every issue”, such as preventing “insider hacking” by university staff. But it would stop “global cybergangs” from “being able to just rampage around our records because of a problem somewhere else”.

Shorten said ߣߣ��Ƶ needed to rethink its oversight of the data underpinning healthcare, transport, utilities and “certainly” education. “National sovereignty in terms of our data is as important as submarines.

ߣߣ��Ƶ

“It’s not just a security argument. It’s a productivity argument too. Data centres can underpin jobs. [They] basically turn electricity into intelligence. We should have them anyway.”

john.ross@timeshighereducation.com