The Weekly
Brief

A worldwide breach of the Canvas learning platform (run by Instructure) has caught up New Zealand students. The University of Auckland, AUT and Victoria University of Wellington are among institutions affected, and the NCSC says it is working with the Ministry of Education and the universities on the response. Attackers accessed Canvas systems in late April; Instructure detected the intrusion days later and disclosed it on 1 May.

The data involved includes names, email addresses, student ID numbers and messages between users. Instructure says it found no evidence that passwords, dates of birth, government IDs or financial details were taken. The NCSC's main warning is what usually follows a breach like this: a wave of phishing and extortion attempts that use the leaked details to look convincing.

Microsoft has aimed its AI assistant squarely at smaller firms with Microsoft 365 Copilot Business — a full-featured Copilot built into Word, Excel, PowerPoint, Outlook and Teams at US$21 per user per month. It summarises long email threads, drafts documents, analyses spreadsheets and captures meeting notes, the same capabilities larger enterprises already pay for. There's also a limited-time discount when you buy it alongside a Microsoft 365 Business plan, running until 30 June 2026.

Under the hood, Copilot now lets organisations pick from multiple AI models — including Anthropic's latest Claude — for different kinds of work. For a small NZ business, useful AI inside the apps your team already lives in is now a per-seat line item rather than an enterprise project.

New Zealand's National Cyber Security Centre has warned that the newest “frontier” AI models are changing the maths of cyber attacks. These tools can find software flaws — including never-seen-before “zero-day” vulnerabilities — and chain them together into working attacks, far faster and cheaper than a human could. The NCSC expects this to drive a sharp rise in vulnerabilities and incidents: a “vulnerability storm”.

The reassuring part: the NCSC says the defence is not some expensive new AI shield. It's the fundamentals — patch quickly, reduce your attack surface, use layered defences and watch for unusual activity. As the agency put it, these are standard practices; organisations just need to do them more quickly and more consistently than before.

Privacy Commissioner Michael Webster is asking the Government to rewrite the Privacy Act so his office can impose serious financial penalties on organisations that fail to keep personal data safe. The current maximum fine sits at just NZ$10,000 — Webster wants the option of penalties running into the millions for the worst cases, pointing to overseas regimes where regulators can fine far more.

For comparison, Europe's GDPR allows fines up to €20 million or 4% of global turnover, and Australia's penalties reach into the tens of millions. Nothing has changed in law yet — but the direction of travel is clear, and it lands alongside the new IPP 3A indirect-collection rule that took effect on 1 May.