This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Victorian Department of Education

Summary

The Victorian Department of Education disclosed on 14 January 2026 that unauthorised third parties accessed a database containing student information from all 1,700 Victorian government schools. The breach exposed student names, school-issued email addresses, year levels, school names, and encrypted passwords. The department has reset all student passwords as a precautionary measure and is working with cyber experts to secure systems before the 2026 school year begins.

What Happened

The Victorian Department of Education detected unauthorised access to its student database several weeks before publicly disclosing the breach on 14 January 2026. All 1,700 Victorian government schools were affected by the incident, which compromised a centralised system containing student account information.

Attackers gained access to student names, school-issued email addresses, year levels, school affiliations, and encrypted passwords for accounts that use them. The department stated it has identified the point of entry and removed the attack vector, though specific technical details about the breach method have not been disclosed.

No evidence has emerged suggesting the stolen data has been released publicly or shared with other parties. The department has not confirmed whether attackers demanded a ransom or publicly claimed responsibility for the breach.

Impact on Individuals

The breach potentially affects hundreds of thousands of students across Victoria's government school system, which serves approximately 650,000 students. While the department confirmed that more sensitive information such as birth dates, home addresses, and phone numbers were not exposed, the compromised data still creates risks for affected students and families.

Students should be alert for:

  • Phishing emails targeting school email addresses with personalised information about their school and year level
  • Social engineering attempts using stolen student details
  • Account takeover attempts if passwords were successfully decrypted
  • Spam and unwanted communications to school email addresses

The department advised parents to remind children not to respond to unexpected or unknown emails. As a precautionary measure, all student passwords have been reset and accounts blocked pending the issuance of new credentials.

Organisational Response

Upon detecting the breach, the Victorian Department of Education immediately reset all student passwords across the government school system and blocked access to school accounts. The department prioritised issuing new credentials to VCE (Victorian Certificate of Education) students first, with other students receiving new passwords at the start of the 2026 school year.

The department stated it has identified the breach's point of entry, removed the attack vector, and implemented additional security protections. The organisation is working with cyber security experts and other government agencies to secure systems and ensure the incident does not disrupt students when they return for the 2026 school year.

A department spokesperson confirmed: "The safety and privacy of students is our top priority, we have identified the point of the breach and have put safeguards in place."

Opposition Leader Jess Wilson called for the government to confirm the number of students affected and explain how the breach occurred.

Verification Source: View original statement