A global cyberattack on online learning platform Canvas has compromised the personal information of more than 72,000 students and staff at Hong Kong schools and universities, according to the city’s privacy watchdog.

The data breaches are part of a global attack that hit almost 9,000 educational institutions worldwide, involving data from 275 million users, according to the platform’s developer, Instructure.

Seven local institutions, including three public universities, have reported the breaches to the Office of the Privacy Commissioner for Personal Data (PCPD).

They are: the Hong Kong University of Science and Technology (HKUST), the Hong Kong Polytechnic University (PolyU), City University of Hong Kong (CityU), the Hong Kong Academy for Performing Arts, the Hong Kong Art School, the Hong Kong Institute of Construction (HKIC), and Hong Kong Education City Limited.

The ShinyHunters hacker group allegedly held Instructure to ransom, threatening to leak the information unless Instructure pays, according to international media.

Instructure said it had reached an agreement with the hacker group to prevent a public leak and gave assurances that no personal information had been compromised.

Student and staff information

The CityU breach involved 28,000 students, according to the university’s report to the PCPD, the privacy watchdog said in a statement on Monday. The leaked data may have included student names, email addresses, student IDs, and messages.

The breach also affected 42,000 students and staff at PolyU, with their names and email addresses potentially compromised, according to the PCPD.

The watchdog “has advised the relevant organisations to notify those affected as soon as possible and to provide assistance as appropriate in each case, in order to prevent the breach from escalating,” it said.

Some 2,500 students and staff at the HKIC and 71 students at the Hong Kong Art School were hit by the breach. The other three institutions have yet to confirm the number of people affected.

Cybersecurity officials have called on institutions to suspend use of the online learning platform and remain vigilant against potential follow-up phishing attacks.

The Hong Kong Productivity Council chief digital officer Edmond Lai said at a press conference on Monday that such attacks could lead to further data leaks or unauthorised transactions.

He also said that the Hong Kong Computer Emergency Response Team Coordination Centre is using artificial intelligence tools to identify phishing websites potentially linked to the Canvas hack.

Meanwhile, Chief Superintendent Raymond Lam said at a press conference on Tuesday that two police reports had been made in relation to the Canvas hack.

One report was filed by a local institution, while the other involved people who used the incident as a pretence to deceive a resident.

A Hong Kong student has described an anonymous petition circulated by pro-Beijing supporters calling for her expulsion from university as an “intimidation” campaign.

The petition targeted Hailey Cheng, a student at the City University of Hong Kong (CityU), who last year blew the whistle on a secondary school student’s award-winning science project, Medisafe. Cheng was arrested in February for doxxing in connection with the same academic integrity scandal.

An anonymous member of a Facebook group for the Hong Kong Programming Society posted the petition on Tuesday, urging “Hong Kong’s vast blue camp” – referring to pro-Beijing supporters in the city – to share it.

In an open letter addressed to CityU President Freddy Boey, the petitioners threatened “to escalate” the matter if the university did not expel her.

They said they would lodge complaints with the Liaison Office, deny CityU graduates interview and employment opportunities, and distribute leaflets to inform the public about the university’s handling of the situation.

The Facebook post was removed on Wednesday evening.

Writing on Threads on Wednesday, Cheng cast doubt on the legitimacy of the anonymous petition. She said that “in the absence of any verifiable identity or authorisation,” it was questionable and could mislead the public.

It may also raise concerns that the programming group’s platform had been hijacked, she added.

The CityU student also said the petition’s approach was unacceptable, as it amounted to “intimidation and collective punishment,” which “seriously deviated” from rational discussion and the rule of law.

“Furthermore, the petition claims to involve a Legislative Council member. If this involves impersonating a public official or the improper use of their name, such conduct may entail legal risks,” Cheng said.

Pointing out that she had not been formally charged following her arrest, she wrote: “Should such conduct interfere with or affect ongoing law enforcement or judicial proceedings, it may also entail legal risks, such as perverting the course of justice.”

Unnamed signatories

According to the open letter, the petition was signed by more than 40 chief information officers, 12 university professors, 30 information technology management executives, and one lawmaker.

None of them was named.

Cheng “deliberately targeted a secondary school student, employing excessive online bullying with methods that contravened privacy laws to disclose the minor’s personal data, resulting in the student suffering harm,” the petition read.

“Tomorrow, we will meet the National Security Department, the Office of the Privacy Commissioner for Personal Data, the Hong Kong police, and Beijing’s Liaison Office to demand that Hailey Cheng be expelled.”

The petition also called on CityU to conduct its own formal investigation and expedite disciplinary proceedings, adding that demands would be escalated to national security and Beijing authorities if the university did not comply.

In June, Cheng raised concerns that MediSafe – a medication prescription app that won multiple prizes at the Hong Kong ICT Awards 2024 – was not actually made by secondary school student Clarisse Poon.

In August, a US-based software development company called AI Health Studio said it was commissioned by Poon’s mother to build the app. The company said the app was submitted to competitions without its consent.

Renowned liver disease specialist Ronnie Poon and Roberta Pang, the student’s parents, later broke their silence in the same month, saying their daughter would return all the awards associated with MediSafe, according to local media reports.

Pang said she had approached a software company in March 2024 to explore commercialising the app, but insisted it was her daughter who conceptualised it.

While apologising for the controversy, the parents also said their daughter was “on the brink of a breakdown” due to “relentless” cyberbullying.