A global cyberattack on online learning platform Canvas has compromised the personal information of more than 72,000 students and staff at Hong Kong schools and universities, according to the city’s privacy watchdog.

The data breaches are part of a global attack that hit almost 9,000 educational institutions worldwide, involving data from 275 million users, according to the platform’s developer, Instructure.

Seven local institutions, including three public universities, have reported the breaches to the Office of the Privacy Commissioner for Personal Data (PCPD).

They are: the Hong Kong University of Science and Technology (HKUST), the Hong Kong Polytechnic University (PolyU), City University of Hong Kong (CityU), the Hong Kong Academy for Performing Arts, the Hong Kong Art School, the Hong Kong Institute of Construction (HKIC), and Hong Kong Education City Limited.

The ShinyHunters hacker group allegedly held Instructure to ransom, threatening to leak the information unless the company paid, according to international media.

Instructure said it had reached an agreement with the hacker group to prevent a public leak and gave assurances that no personal information had been compromised.

Student and staff information

The CityU breach involved 28,000 students, according to the university’s report to the PCPD, the privacy watchdog said in a statement on Monday. The leaked data may have included student names, email addresses, student IDs, and messages.

The breach also affected 42,000 students and staff at PolyU, with their names and email addresses potentially compromised, according to the PCPD.

The watchdog “has advised the relevant organisations to notify those affected as soon as possible and to provide assistance as appropriate in each case, in order to prevent the breach from escalating,” it said.

Some 2,500 students and staff at the HKIC and 71 students at the Hong Kong Art School were hit by the breach. The other three institutions have yet to confirm the number of people affected.

Cybersecurity officials have called on institutions to suspend use of the online learning platform and remain vigilant against potential follow-up phishing attacks.

The Hong Kong Productivity Council chief digital officer Edmond Lai said at a press conference on Monday that such attacks could lead to further data leaks or unauthorised transactions.

He also said that the Hong Kong Computer Emergency Response Team Coordination Centre is using artificial intelligence tools to identify phishing websites potentially linked to the Canvas hack.

Meanwhile, Chief Superintendent Raymond Lam said at a press conference on Tuesday that two police reports had been made in relation to the Canvas hack.

One report was filed by a local institution, while the other involved people who used the incident as a pretence to deceive a resident.

Hong Kong’s privacy watchdog has warned against paying ransoms to hackers after education management platform Canvas was targeted in a global cyberattack, compromising the personal data of 72,000 students and staff in the city.

“If it’s the case that a ransom was paid, that is a practice that we would condemn,” privacy commissioner Ada Chung told RTHK on Friday.

Instructure, the developer of Canvas, said it had reached an agreement with hacker group ShinyHunters. The group demanded that Instructure pay a ransom, or it would publicly leak the information.

Neither party has confirmed whether Instructure paid the ransom the group demanded. ShinyHunters said it had deleted the data and vowed not to extort students or institutions.

Cybersecurity

“This case involves hacking, which is illegal. Resources should not be given to the hackers, but should instead be invested in cybersecurity,” Chung said.

She added that paying the ransom could not guarantee the data would not be leaked, and that the hackers might have other plans.

“It could even signal to other hackers, ‘You are willing to pay the ransom, so we will come after you,’ which carries significant risks,” she said.

According to the Office of the Privacy Commissioner for Personal Data (PCPD), the hack compromised the personal data of 72,000 students and staff from seven local institutions, including names, email addresses, student IDs, and messages.

The breach was part of a broader, global attack that hit almost 9,000 educational institutions worldwide, involving 3.5 terabytes of data from 275 million users, according to Instructure.

Chung also said on Friday that there was no evidence to suggest that there had been any public data leaks.

As Instructure would need several weeks to complete its review of the incident, Chung advised organisations that use Canvas to ensure their systems are protected and to remove any sensitive information from the platform.