SINGAPORE – No sensitive information has been leaked so far in the recent global data breach of the Canvas learning platform, the Ministry of Education (MOE) said on May 16.
In response to queries, MOE said there have been no confirmed reports of data leaks as at May 14.
The ministry added that it is in touch with the government-supported institutes of higher learning affected by the breach and will “provide support where possible”.
It also said that private education institutions are expected to comply with the law and data protection regulations.
The National University of Singapore (NUS) and the Singapore Institute of Management (SIM) were among a number of local institutions allegedly hit by a global data breach on May 7.
NUS on May 8 had informed students that some information such as their names and e-mail addresses may have been exposed, but confidential information such as passwords had not been compromised.
Thousands of international institutions, including Harvard University and Stanford University, were also affected.
In Singapore, the Singapore College of Insurance (SCI), the Institute of Singapore Chartered Accountants (ISCA), NTUC LearningHub, The Learning Lab, KLC International Institute and The Learning Space SG were also named in a list of organisations that were targeted seen online on May 8.
The attack, which blocked access to the Canvas learning platform, was claimed by ShinyHunters, a well-known cyberextortion group active since at least 2019.
In a message allegedly sent by ShinyHunters and seen on forum platform Reddit, the affected institutions are threatened with the release of stolen data.
On May 11, Instructure, the US-based vendor that owns and runs Canvas, said in a statement on its website that it has “reached an agreement with the unauthorised actor involved with this incident”.
As part of the agreement, all data was returned to the company and it was informed that “no Instructure customers will be extorted as a result of this incident, publicly or otherwise”.
SIM said in an advisory notice on May 13 that there has been no evidence that the university’s systems, networks or infrastructure had been compromised.
There has also been no indication that data related to the organisation had been publicly leaked or disseminated, SIM said.
It added that heightened monitoring activities for phishing, impersonation and suspicious activity targeting SIM accounts will continue.
Instructure has also given the assurance that the affected data will not be further shared or leaked, SIM said.
In response to queries, SCI said on May 15 there has been no impact to its systems or infrastructure arising from the incident.
ISCA said on May 15 that a detailed review of its system was carried out after hearing about the cybertattack and no issues were identified.
It added that it does not store sensitive data on the Canvas platform, which is used only to host e-learning materials.