Hong Kong experts have warned that the recent data breach of the learning platform Canvas shows student information is increasingly exploited by criminals for profit, and called for tighter security protocols on using cloud services and making periodic local data backups.

The Canvas Learning Management System is widely adopted by universities worldwide for online learning and course management. The platform's parent company, US-based Instructure, was hacked late last week, compromising 3.65 terabytes of data, potentially including usernames, email addresses, student IDs and messages between users. The incident has affected an estimated 275 million users worldwide.

In Hong Kong, seven institutions have so far proactively reported the suspected data leak to the Office of the Privacy Commissioner for Personal Data: Hong Kong University of Science and Technology (HKUST), Hong Kong Polytechnic University, City University of Hong Kong, Hong Kong Institute of Construction, Hong Kong Academy for Performing Arts, Hong Kong Art School, and Hong Kong Education City Ltd.

ALSO READ: HK data leak affects 56,000 patients, Hospital Authority apologizes

A third-year HKUST business undergraduate, who gave his name as Jason, told China Daily that he received an email from the university on Friday morning about the attack and then the platform was down until around 2 pm. After the incident, the university extended assignment deadlines and launched a dedicated webpage on data security, he said.

Jason said his studies were largely unaffected, though he expressed surprise that such a widely used platform could be so easily hacked.

Zhang Yuyan, a first-year HKUST undergraduate, said the university responded promptly, including by sending an email with a link to cybersecurity tips and reminding students to verify Canvas-related requests.

Zhang suggested that the university should develop a backup plan, adding that HKUST’s Department of Computer Science and Engineering already runs a stable, in‑house system for its computer science-related courses, which was unaffected by the Canvas outage.

At a media briefing on Monday, Edmond Lai Shiao-bun, chief digital officer of the Hong Kong Productivity Council, said that for such a centralized platform — which relies on a central server to manage data with all users connecting to this central point to perform actions — a cloud attack affects users globally.

For universities, using third-party services may also create cybersecurity gaps because it is difficult for institutions to intervene in the operation of those services, leaving them in a relatively passive role, Lai said.

Given the risks of sensitive data leaks and of data being tampered with or deleted on the platform, he advised affected institutions to temporarily suspend their use of the platform, conduct a full review covering their data, accounts and other services and systems linked to the platform, and remind staff and students to heighten their vigilance.

READ MORE: HK watchdog probes Louis Vuitton data leak after string of attacks

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, told China Daily that the attack on Canvas was essentially a precision strike on “data assets”.

Student data, which Fong described as of high value because of its “clean credit record”, is perfect for opening virtual accounts and applying for fraudulent loans on the dark web. And criminals can exploit the abundant teacher-student messages on the platform to forge very believable scams.

Fong warned that the breach sounded a global alarm on “supply chain security”. A centralized platform like Canvas, once compromised, could trigger a chain reaction across thousands of schools, crippling infrastructure and enabling long-term identity theft while also eroding trust in digital education.

With hacking techniques advancing rapidly, putting billions of people’s privacy in a few tech giants’ hands is like "putting all your eggs in one basket". He urged placing security before convenience and not waiting until control has been lost.

To prevent future incidents, Hong Kong lawmaker William Wong Kam-fai, who has a technology background, said that the security performance of overseas-operated platforms is beyond local control. He advised institutions to assess thoroughly a company’s data protection measures before signing contracts, and to perform regular data backups.

Technology and innovation sector lawmaker Duncan Chiu said the core issue lies in future data policy — including how to classify data into different privacy categories, the policy regarding storage of data, third-party responsibilities, and cross-border governance.

“As we touch more and more data easily today with artificial intelligence and different tools and means to collect data, any corporation can gather a large pool of data, and sometimes sensitive data,” he said, stressing the need for legislation to clarify safe data-keeping practices for corporations in Hong Kong.

However, he argued against developing a local learning platform, noting that clear data governance guidelines would allow universities to use the best products from around the world.

Wong agreed, adding that building such platforms requires time and money and would involve reinventing services that already work well.

Roys Zhang contributed to the story.

Contact the writer at amberwu@chinadailyhk.com