Lianhe Zaobao, 学习平台Canvas遭网袭 教育部未接数据外泄通报

(Summarised translation)

Following a recent cyberattack on the online learning platform Canvas, Singapore’s Ministry of Education (MOE) said it has been in contact with affected institutes of higher learning and, as of Thursday (May 14), had not received any confirmed reports of sensitive data leaks.

Canvas, developed by U.S. education technology company Instructure, suffered a cyberattack last Thursday (May 7), causing service disruptions that affected more than 8,000 educational institutions and over 275 million users worldwide. The ransomware group ShinyHunters claimed responsibility and threatened to release stolen data — including private chats between teachers and students, names, and email addresses — if a ransom was not paid by May 12.

In Singapore, institutions including NTUC LearningHub, the National University of Singapore, the Singapore University of Social Sciences, the Singapore Institute of Management, and the Institute of Singapore Chartered Accountants (ISCA) confirmed they were affected.

Cybersecurity expert Victor Keong, a senior lecturer from the Information Systems Technology and Design pillar at the Singapore University of Technology and Design with more than 30 years of experience, said in an interview that even if Instructure had paid a ransom to secure a relatively peaceful resolution, the long-term risks remain.

These risks include the possibility that hackers had already accessed the stolen data during the roughly one week after the breach, as well as the danger that other hackers may imitate such tactics, encouraging further cybercrime.

Based on the information he has tracked, Keong estimates that 25 local institutions may have been affected, with 15 already confirmed.

Keong said the incident exposed gaps in Singapore’s cyber defence ecosystem. While government agencies place strong emphasis on cybersecurity and sectors such as financial services have information-sharing mechanisms, growing cyber threats mean that universities, adult learning providers, and private education institutions must also strengthen their defences.

Although Instructure has reportedly reached an agreement with the hackers, Keong urged Singapore institutions to remain cautious and highly vigilant. He suggested that institutions notify the Personal Data Protection Commission, alert affected students and staff, and require users to reset their passwords.