By Rohan Le Page, Founder and Co-CEO of ShareRing
I got a phishing call tonight. Someone pretending to be from the Australian Federal Police, telling me my passport had been stolen and I needed to verify some details. My passport was sitting on the desk in front of me. I told the bloke he was talking to the wrong person and hung up.
Then I see the news that 275 million student records have been stolen in the Canvas breach. 8,809 institutions. ShinyHunters. The University of Melbourne, the University of Technology Sydney, the Royal Melbourne Institute of Technology, Griffith University, the University of Adelaide, the University of Canberra and the Queensland University of Technology all named. State school systems in Queensland, New South Wales, Western Australia, Victoria and Tasmania all caught up in it.
Two unrelated events on the same night, minutes apart. Same root cause. Sensitive data sitting in a central store that should never have been there to begin with.
When are we going to get pissed off enough to stop this truly mental philosophy that sensitive documents need to be centralised?
I am angry tonight. You should be too.
The numbers at a glance. 3.65 terabytes exfiltrated. 275 million records. 8,809 institutions across 50 countries. Names, email addresses, student identification numbers and private messages between students and teachers all in the dump. The Office of the Australian Information Commissioner is engaging directly with Instructure.
You cannot un-leak a leak
On 11 May, Instructure announced it had reached an agreement with the attackers for an undisclosed sum and that the stolen data had, in their words, been destroyed.
That should not give anyone comfort. Paying a ransomware group to delete data is a trust statement, not a technical guarantee. Once 275 million records are out, you have to assume copies exist. They will be sold. They will be used to phish parents. They will be used to phish students. Some of them will end up calling people like me, claiming to be from the Federal Police, asking about passports sitting on desks in front of us.
The only durable fix is to never collect and hold that data in one place to begin with.
We have been here before
This is the same architecture that gave us Optus. The same architecture that gave us Medibank. The same architecture that gave us Latitude. The same architecture that has every Australian’s personal information already sitting on a dark web forum somewhere. And the same architecture is what we have allowed to run education in this country for over a decade.
It is mental. There is no other word for it. We know how this ends every single time. We keep building the same trap, then act surprised when it springs.
What I founded ShareRing to do
I started ShareRing because I got tired of watching this happen. Privacy KYC technology is built on one structural shift. Identity verification happens without the verifier holding the underlying data.
A student proves they are who they say they are. A university confirms that proof is valid. The university never holds the identity document, the address, the government identifier. There is no central honeypot to breach because there is no central honeypot.
That is the moat. The difference between a system that gets breached every quarter and a system where there is nothing to steal.
While Instructure was building a honeypot, we were deploying the alternative
On 23 April 2026 in Bangkok, Turnkey Communication Services, Transformational and ShareRing announced a strategic alliance to launch Thailand’s first integrated Verifiable Credential and Digital Document Wallet infrastructure. Turnkey Communication Services is the Thai digital infrastructure anchor, listed on the Stock Exchange of Thailand. Transformational, led by former Country Head of Google Thailand Ariya Banomyong, is the delivery partner. ShareRing is the privacy KYC engine.
The roadmap is on the record. A major Thai state-owned enterprise goes live in June 2026. A network of Thai universities follows in August 2026, issuing digital academic transcripts into the same wallet.
Thai institutions do not appear on the public list of Canvas breach victims. The August 2026 rollout puts those Thai universities on a different architecture entirely. One where this breach scenario cannot happen, not one where it has not happened yet.
Three months from now, while Australian universities are still writing apology emails about the Canvas dump, Thai students will be holding their academic credentials on their own devices, presented with their consent, verified cryptographically in seconds. Nothing about the student sitting on a central server waiting to be stolen.
That is not a pilot. That is national infrastructure in production.
The architectural rule
Personal data never goes on the chain. What sits on ShareLedger is the issuer registry, the credential schemas, and the revocation lists. The credential body, the name, the date of birth, the grades all live encrypted on the holder’s device. Audit the chain, there is no personal data there to leak. Compromise an issuer, you compromise that issuer’s signing key. You do not compromise 275 million records across 8,809 institutions, because the records are not in one place to be compromised.
Make breaches structurally unable to happen, not statistically harder.
To every university and school system, everywhere
I am not writing this as a vendor. I am writing it as a founder who has watched country after country pay the price over and over and learn nothing from it. Australia tonight. The United States. The United Kingdom. The Netherlands. Canada. Anywhere Canvas runs.
If you run identity, compliance or technology at a university, a school system or a vocational provider, anywhere in the world, the conversation worth having is not “how do we patch Canvas”. It is “why are we still architected this way when an alternative is going into production at national scale this quarter”.
Get angry about it. I am. Then come and talk to us. We are fixing it now.
Questions you are probably asking
Was my student data taken? If your institution uses Canvas and you have an account, assume your name, email and student identification number are in the dataset. Messages between students and teachers were too. Passwords, dates of birth, government identifiers and financial information were not.
Does the agreement with the hackers fix it? No. There is no enforceable way to verify deleted data stays deleted. Containment, not a fix.
What does “privacy KYC” mean in practical terms? The institution verifying you never has to hold your underlying identity data. Verification happens against a proof, not a database. Nothing for an attacker to steal because the data is not there.
Is this hypothetical, or actually deployed? Deployed. The ShareRing wallet is in production on Apple and Android devices. Going live at national scale in Thailand from June 2026, with Thai universities issuing verifiable digital transcripts from August 2026.
The bottom line
Centralised stores of student identity data are now a known structural liability. Instructure proved it at scale. The fix is not better firewalls. The fix is not holding the data in the first place. That is what we have built. That is what is going into production in Thailand in June. The same engine is available for any institution, anywhere in the world, that wants to stop being a target.
If you run an institution that holds sensitive data and you are reading this, you have my email. Use it.
By Rohan Le Page, Founder and Co-CEO of ShareRing
#Private #Secure #Verified #PrivacyKYC #DataBreach #Canvas #Instructure #Education #VerifiableCredentials #Thailand