The Office of the Privacy Commissioner for Personal Data said on Friday it had received reports of data breaches from seven institutions affecting more than 72,000 people after the online learning platform Canvas became a target of a cyber attack.

The seven institutions are the Polytechnic University, the Institute of Construction, Hong Kong Education City Limited, the University of Science and Technology, the Academy for Performing Arts, Hong Kong Art School and City University.

The compromised data includes names, email addresses, user names, departmental information, student IDs and, in some cases, course and system-related information.

Privacy Commissioner Ada Chung said her office is contacting the institutions to understand the scope of the impact and that there is no evidence of actual losses at the moment.

The platform, she said, had been hacked twice, and the relevant company still requires several weeks to complete its investigation.

Chung urged institutions still using this platform to conduct a comprehensive review of the security of their information system, and consider deleting any sensitive data previously stored on the platform.

She stated that if the parent company of the platform decides to pay a ransom and reaches an agreement with the hackers, her office will strongly condemn such actions.

She questioned whether all data can be recovered, whether the hackers have already backed up the data, and whether such actions might encourage further cyberattacks.

"If I pay the ransom once, will I really get all my data back?," Chung said in an RTHK programme.

"What if the hackers have already made copies before returning it? Or worse – what if other hackers find out you’re willing to pay ransoms and come after you again? The risks, in fact, become even greater."

Chung also expressed concern about a decision by Instagram to discontinue its end-to-end encrypted messaging feature from May 8. She urged users to consider backing up and deleting message content.


Edited by Priscilla Ng