Over 72,000 Hongkongers hit as HKUST, PolyU among institutions in global Canvas hack

Breach is part of wider global data leak that has affected universities and schools worldwide, with an estimated 9,000 institutions impacted

A global data leak involving learning platform Canvas has exposed the personal information of more than 72,000 students and staff across Hong Kong educational institutions, with authorities warning of further threats targeting those affected.

As of Tuesday, seven local educational institutions had reported data breaches to the Privacy Commissioner for Personal Data, including major universities such as the Hong Kong University of Science and Technology (HKUST), Polytechnic University and City University.

The other four institutions are the Hong Kong Academy for Performing Arts, Hong Kong Art School, Hong Kong Institute of Construction and Hong Kong Education City Limited.

Edmond Lai Shiao-bun, chief digital officer of the Hong Kong Productivity Council, warned that affected individuals could face additional cybersecurity risks, urging schools to suspend use of Canvas where possible.

“Attackers can use the personal information to launch more targeted phishing attacks,” Lai said. “Phishing emails can now be generated with highly realistic content, making it easier for teachers and students to be lured into clicking links that lead to fraudulent websites.”

“Such links could result in further leakage of personal information and passwords, or even be used to deceive users into making online transactions,” he added.