On Wednesday 14 January 2026, the Department of Education (DOE) announced that a major cyberattack has compromised the personal information of students from all Victorian government schools.
This news is a timely reminder that all schools are required by law to keep personal information secure. Schools are required to report eligible data breaches to the Office of the Australian Information Commissioner, whether or not these are caused by the school or by a malicious actor.
What we know so far about the DOE cyberattack
According to the DOE, an unauthorised external third-party accessed a database containing information about current and past school student accounts, including:
- Student names
- School-issued email addresses
- School names and year levels
- Encrypted passwords for school accounts
What trends correlate with data breaches in non-government schools?
Whilst there is no evidence that any non-government schools were impacted, privacy breaches (including from cyberattacks) do occur at non-government schools – both Catholic and independent. We often support schools in these matters.
In our experience, certain factors tend to correlate with breaches. These include:
- Adoption of new CRMs and platforms (including leaving administrator access open, and having incorrect privacy settings, which make online forms publicly searchable);
- Keeping old information which is no longer required, instead of archiving or destroying it;
- A spike in emails sent to incorrect recipients on Fridays and in the lead-up to school holidays;
- Incorrect settings (for example, in Teams or on consent platforms); and
- Circulating spreadsheets via email (instead of SharePoint for example).
How we can help
Moores supports non-government schools with privacy compliance, data breach response and cyber incident management. In late January 2026, Moores will release its 2026 Privacy Toolkit, designed to assist organisations of all types to meet their obligations under Australian privacy laws.
Our team regularly advises not-for-profits, schools and education providers on privacy compliance, data breach response plans and proactive redesign of processes to implement privacy-by-design.
Contact us
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.