275 Million Users Affected by Online Learning System Breach HKCERT Urges Local Institutions to Review Security

(This image was created using generative AI and reviewed under professional human supervision.)

The cross-border online learning management system (LMS) Canvas has recently reportedly been breached by a hacker group. The group claims to have illegally accessed user data from multiple schools worldwide through the platform and attempted to extort money. As a number of local institutions in Hong Kong also use the system, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), upon learning of the incident, immediately and proactively notified local institutions that could potentially be affected, urging them to stay alert against phishing attacks and to strengthen monitoring for abnormal system activities. So far, seven local institutions have proactively reported suspected personal data leakage to the Office of the Privacy Commissioner for Personal Data (PCPD), and the scope of the impact is still under investigation.

According to a statement by Instructure, the developer of Canvas, the affected data may include user names, email addresses, student ID numbers, and communications between users. The total volume of data involved amounts to 3.65 TB, affecting 275 million users worldwide. The developer also stated that more sensitive information such as passwords, dates of birth, identity document numbers, and online transaction data does not appear to have been involved at this stage. Local institutions known to be affected include The Hong Kong Polytechnic University, the Hong Kong Institute of Construction, the Hong Kong University of Science and Technology, the Hong Kong Academy for Performing Arts, and Hong Kong Education City, City University of Hong Kong and Hong Kong Art School. Criminals may exploit the stolen data to commit offences, such as creating highly convincing phishing emails, impersonating others, and launching phishing attacks against users of the affected institutions.

HKCERT recommends that affected organisations and individuals take the following precautionary measures:

If you are an affected organisation：

• Review how the platform is currently being used, including the types and volume of data stored on it, in order to assess the extent of the impact.
• Identify any systems or third-party integration services connected to the platform and temporarily isolate them.
• Monitor accounts and systems for abnormal login behaviour, suspicious access, or unusual data access patterns, and review system logs and audit records for signs of intrusion or unauthorised access.
• Remind staff and students to remain vigilant against phishing emails or social engineering attacks that may make use of leaked contact information, especially suspicious emails mentioning “Canvas updates” or “PCPD investigations”, and never approve any two-factor authentication (2FA) requests that they did not initiate.
• Remind staff and students not to publish any sensitive information or internal project-related content on any online platform.
• If personal data leakage is suspected, report it immediately to the Office of the Privacy Commissioner for Personal Data and notify the affected individuals.
• It is recommended to reassess the risks associated with using Canvas and, take appropriate measures to mitigate them.
• Please keep a close eye on the latest announcements and follow-up updates regarding the Canvas incident. For details, please visit：https://www.instructure.com/incident_update

If you are an affected individual, especially a staff member or studen：

• Be cautious of suspicious emails, messages, or phone calls claiming to be related to Canvas, your school, or any investigation.
• Do not click on suspicious links or open attachments from unknown sources.
• Never approve any MFA / two-factor authentication requests that you did not initiate.
• As a precaution, if you use the same password on other services as the one used for this platform, change that password immediately.
• Watch for any unusual account activity and report suspicious situations to your institution or organisation as soon as possible.
   

Companies or members of the public who wish to report cybersecurity incidents to HKCERT, such as malware, phishing, denial-of-service attacks, etc., may do so by filling in the online form：https://www.hkcert.org/incident-reporting or by calling the 24-hour hotline: (852) 8105 6060. For any other enquiries, please contact HKCERT by email at [email protected]