SINGAPORE – The National University of Singapore (NUS) has informed its students that while some information such as their names and e-mail addresses may have been exposed in a global data breach, their confidential information such as passwords has not been compromised.
NUS was one of many local and international institutions affected by the massive cyberattack on May 7. The attack, claimed by ShinyHunters, a cyberextortion group, saw access to the Canvas learning platform blocked, reported AFP.
In a May 8 e-mail to students about what it called the “data security incident” involving the Canvas “learning management system” seen by The Straits Times, the Office of the University Registrar said: “The university is concerned about this matter and is working with priority with Instructure to thoroughly investigate and assess the situation.”
Instructure is the US-based vendor that owns and runs Canvas.
Attributing the information to Instructure, NUS added that the information “that may have been exposed is limited to: name, e-mail address, student ID”.
“We would like to assure you that your NUS log-in credentials such as passwords have not been compromised, and all student marks remain secure,” it added.
As an additional precaution, NUS advised students to stay alert and vigilant. The university told students not to reply to any suspicious e-mails, messages or phone calls related or unrelated to this incident.
It also urged students to refrain from sharing personal information or log-in details if contacted by suspicious people.
It added that the registrar’s office was available to assist those who had concerns about their student records.
The Singapore Institute of Management, the Singapore College of Insurance, the Institute of Singapore Chartered Accountants, NTUC LearningHub, The Learning Lab, KLC International Institute and The Learning Space SG were among the other local institutions affected by the data breach.
Thousands of foreign institutions, including Harvard University and Stanford University, were hit by the attack.
Some schools and universities whose students’ data was stolen individually sought to deal directly with the hackers to prevent data release, a source familiar with the matter told Reuters on May 8.
In a message allegedly sent by ShinyHunters and seen on forum platform Reddit, the affected institutions were threatened with the release of stolen data.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult a cyberadvisory firm and contact us privately at TOX to negotiate a settlement,” read the statement. TOX refers to a peer-to-peer messaging platform.
The institutions were given a deadline of May 12 before “everything is leaked”. The message included a link to a list of schools allegedly breached by the hackers through Canvas.
The Cyber Security Agency of Singapore (CSA) said on May 8 that it is monitoring the situation.
“We have reached out to affected organisations to offer assistance and provide advice on mitigation measures,” it said in a statement.
SIM said in response to queries that it is closely monitoring the disruption affecting access to the Canvas learning platform together with Instructure, which is working to restore services as soon as possible.
“We understand the inconvenience and concern this has caused our students and faculty,” it added.
ST has contacted NUS and CSA for more information.