A new audit of New South Wales schools has revealed major gaps in how student data is protected. In one incident, two students accessed thousands of sensitive files. This security failure points to systemic problems in school information management, which worries parents and educators.
What Happened
An investigation by the NSW Auditor-General exposed vulnerabilities in school cybersecurity and documented 491 data security incidents between 2023 and 2025. According to the NSW Audit Office review, school systems failed to maintain basic privacy controls. This failure created what auditors called "critical gaps" between official state policies and classroom realities.
In the most serious case, two public school students bypassed security protocols to access 2,000 files belonging to their peers. These files contained confidential personal details, including behavioral records, disabilities, and psychological diagnoses. The breach occurred because the NSW Department of Education had weak access controls on its school networks. As a result, unauthorized users could view records that only school psychologists and administrators should have seen.
The Bigger Picture
These network failures occur alongside growing concerns about third-party educational software. State education departments increasingly rely on cloud-based platforms, but these services can expose student data to hackers.
A global security breach recently hit the Canvas learning management system, a platform used by millions of students. A hacking group called "ShinyHunters" targeted the platform and compromised student names, email addresses, and messages across schools, TAFEs, and universities. The lapse forced the NSW Department of Education to launch an investigation into the Canvas breach to see how many local students and staff members were affected.
Security threats go beyond large learning platforms. Researchers at the University of New South Wales (UNSW) analyzed 200 school-approved Android applications recommended on state education websites. They found that most of these apps collected student data within seconds of being opened, then sent those details to commercial trackers.
According to lead researcher and UNSW cybersecurity expert Dr. Rahat Masood, only one in four of these recommended apps followed its own privacy policy. This means that even when schools recommend an app for homework, the software may violate student privacy standards.
What This Means for Families
These findings show that school-approved technology is not always secure. When schools fail to restrict file access, students can easily view medical and psychological records stored on shared drives.
The state tracks these vulnerabilities through the Mandatory Notification of Data Breach (MNDB) Scheme. This law requires the NSW Education Standards Authority to run a public NESA Public Notification Register. If a major data breach occurs and the agency cannot notify people individually, it must publish details of the breach, what data was exposed, and how they are fixing the problem.
What You Can Do
To protect student privacy, parents and school councils can ask principals to confirm that sensitive records, like counselor notes and learning plans, are secured behind strict access permissions instead of general school drives.
Families can also regularly check the MNDB Public Register to stay informed about data breaches that affect local schools.
Finally, parents can set strict privacy settings on student devices to restrict the data collection revealed by the UNSW app tracking findings.