Cyber-security officials on Monday called on school and universities, wherever possible, to temporarily stop using the online learning platform Canvas — which was recently the target of a cyber-attack.

According to the software developer Instructure, the breach hit nearly 9,000 education institutions worldwide, involving data from 275 million users.

The leak would have compromised student names, emails, student IDs and messages sent on the platform.

The Hong Kong Computer Emergency Response Team Coordination Centre said that if institutions must continue using Canvas, they should be extra careful about possible phishing attacks.

"There’s always some potential risks of further hacking the system," chief digital officer of the Hong Kong Productivity Council Edmond Lai said.

"If you are using the system, no matter whether you are a teacher, a staff or just a student, I think the special concern is on anything you receive, whether it’s an email, a text message.

"Whatsoever regarding asking you to log into the system to do whatever you need to do you have to pay extra attention, especially if it contains any links, you need to double-check the code behind that link, whether it’s really directing to the system or not."

Lai noted the centre has been working closely with the Digital Policy Office to formulate countermeasures and an emergency plan, adding it has contacted local institutions that have a chance of being affected.

The centre is also using artificial intelligence tools to scan for and identify phishing websites potentially associated with the Canvas attack, he added.

So far, five local institutions have reported being affected.

They are Polytechnic University, the University of Science and Technology, the Academy for Performing Arts, the Hong Kong Institute of Construction and Hong Kong Education City Limited.


Edited by Tony Sabine