Hong Kong privacy watchdog warns against paying ransoms after Canvas hack

Hong Kong’s privacy watchdog has warned against paying ransoms to hackers after education management platform Canvas was targeted in a global cyberattack, compromising the personal data of 72,000 students and staff in the city.

Office of the Privacy Commissioner for Personal Data. Photo: PCPD, via Wikimedia Commons.

“If it’s the case that a ransom was paid, that is a practice that we would condemn,” privacy commissioner Ada Chung told RTHK on Friday.

Instructure, the developer of Canvas, said it had reached an agreement with hacker group ShinyHunters. The group demanded that Instructure pay a ransom, or it would publicly leak the information.

Neither party has confirmed whether Instructure paid the ransom the group demanded. ShinyHunters said it had deleted the data and vowed not to extort students or institutions.

Cybersecurity

“This case involves hacking, which is illegal. Resources should not be given to the hackers, but should instead be invested in cybersecurity,” Chung said.

She added that paying the ransom could not guarantee the data would not be leaked, and that the hackers might have other plans.

The Canvas logo. Photo: Canvas by Instructure.

“It could even signal to other hackers, ‘You are willing to pay the ransom, so we will come after you,’ which carries significant risks,” she said.

According to the Office of the Privacy Commissioner for Personal Data (PCPD), the hack compromised the personal data of 72,000 students and staff from seven local institutions, including names, email addresses, student IDs, and messages.

The breach was part of a broader, global attack that hit almost 9,000 educational institutions worldwide, involving 3.5 terabytes of data from 275 million users, according to Instructure.

Chung also said on Friday that there was no evidence to suggest that there had been any public data leaks.

As Instructure would need several weeks to complete its review of the incident, Chung advised organisations that use Canvas to ensure their systems are protected and to remove any sensitive information from the platform.