Cybersecurity Breach of Canvas Platform Affects Hong Kong Schools

May 15, 2026, 09:21

Introduction

The Office of the Privacy Commissioner for Personal Data (PCPD) has reported a major data breach involving the Canvas learning platform, which has affected seven local institutions.

Main Body

This incident was part of a global cyberattack that targeted about 9,000 educational institutions, leading to the theft of 3.5 terabytes of data from 275 million users. In Hong Kong, the breach affected 72,571 people across several institutions, including the Hong Kong Polytechnic University and City University of Hong Kong. The stolen information includes names, email addresses, user IDs, and student identification numbers. There is a clear disagreement between the platform developer, Instructure, and the PCPD. Instructure claimed that they reached an agreement with the hackers, known as 'ShinyHunters,' and received confirmation that the data was destroyed. However, Privacy Commissioner Ada Chung strongly criticized the decision to potentially pay a ransom. She emphasized that paying illegal groups is counterproductive and argued that money should instead be spent on improving cybersecurity. Furthermore, she warned that paying ransoms might encourage more attacks and does not guarantee that all data has been recovered. To address these risks, the PCPD has advised schools to perform full security reviews and remove sensitive data from the platform. This is especially important because the platform has been hacked twice. Additionally, the Commissioner mentioned a separate concern regarding Instagram's decision to stop using end-to-end encryption for messages, suggesting that users should back up and delete their data.

Conclusion

The PCPD is continuing to monitor the situation and is urging institutions to improve their security and stay alert for phishing attempts.

Learning

⚡ The 'B2 Leap': Moving from Simple to Complex Logic

At an A2 level, you describe things using simple sentences: "The company paid the hackers. The Commissioner was angry."

To reach B2, you must stop using a series of short sentences and start using Contrastive Connectors. This allows you to show two opposing ideas in one sophisticated thought.

🔍 The Linguistic Goldmine

Look at this shift from the text:

*"Instructure claimed that they... received confirmation that the data was destroyed. However, Privacy Commissioner Ada Chung strongly criticized the decision..."

The Logic: Instead of just saying "And then this happened," the writer uses "However" to signal a conflict. This is the hallmark of B2 fluency: the ability to argue and contrast.

🛠️ Practical Upgrade Path

A2 Style (Simple)	B2 Style (Sophisticated)	The 'Bridge' Tool
The platform was hacked. It is still used.	The platform was hacked; nevertheless, it is still used.	Nevertheless (Formal contrast)
Paying hackers is fast. It is dangerous.	While paying hackers is fast, it is dangerous.	While (Comparing two facts)
They wanted the data back. They paid money.	They wanted the data back; consequently, they paid money.	Consequently (Showing result)

💡 Pro-Tip for Growth

Notice the phrase "counterproductive." An A2 student says: "It does not help." A B2 student says: "It is counterproductive."

Challenge your brain: Whenever you want to say something "is not good" or "does not work," try to find one specific adjective (like counterproductive, inefficient, or risky) to replace the whole phrase. This is how you move from 'basic communication' to 'academic precision'.

Vocabulary Learning

breach (n.)

An event where unauthorized individuals gain access to protected information.

Example:The bank suffered a breach that exposed customers' personal data.

cyberattack (n.)

An offensive operation carried out using computers or networks to damage or disrupt systems.

Example:The government launched a countermeasure after the cyberattack on the power grid.

targeted (adj.)

Chosen as a specific focus or aim.

Example:The new policy targets small businesses that are most vulnerable to fraud.

theft (n.)

The act of taking something that belongs to someone else without permission.

Example:The theft of the company's trade secrets cost them millions.

terabyte (n.)

A unit of digital information equal to about one trillion bytes.

Example:The backup system can store up to 10 terabytes of data.

stolen (adj.)

Taken illegally or without permission.

Example:The stolen documents were found in a hidden folder.

information (n.)

Facts or data that are communicated or received.

Example:She shared useful information about the upcoming event.

disagreement (n.)

A lack of agreement or a conflict of opinions.

Example:Their disagreement over the contract terms delayed the signing.

agreement (n.)

A mutual understanding or arrangement between parties.

Example:They signed an agreement to collaborate on research.

hackers (n.)

Individuals who use computers to break into systems illegally.

Example:The hackers exploited a vulnerability in the software.

confirmation (n.)

The act of verifying or affirming something.

Example:The confirmation of the appointment was sent via email.

criticized (v.)

Expressed disapproval or pointed out faults.

Example:She criticized the report for its lack of detail.

counterproductive (adj.)

Having the opposite effect of what is intended.

Example:The new policy turned out to be counterproductive, increasing errors.

cybersecurity (n.)

The practice of protecting computers and networks from attacks.

Example:Cybersecurity measures are essential for protecting sensitive data.

guarantee (v.)

To promise or assure that something will happen.

Example:They guarantee that the product will last for five years.

remove (v.)

To take away or eliminate.

Example:Please remove the outdated files from the server.

sensitive (adj.)

Information that must be protected because it could cause harm if disclosed.

Example:Sensitive personal data should be encrypted.

encryption (n.)

The process of converting information into a coded form to prevent unauthorized access.

Example:The email uses encryption to keep the message private.

phishing (n.)

A fraudulent attempt to obtain sensitive information by disguising as a trustworthy entity.

Example:Phishing emails often ask for passwords.

monitor (v.)

To observe and check the progress or quality of something over time.

Example:We will monitor the system for any unusual activity.