Hackers Steal Data from Schools in Hong Kong

May 15, 2026, 09:21
GlobalTechnology
A2

Hackers Steal Data from Schools in Hong Kong

Introduction

A government office says that hackers stole information from the Canvas learning website. Seven schools in Hong Kong have a problem.

Main Body

Hackers attacked 9,000 schools around the world. In Hong Kong, they stole names and emails from 72,571 people. These people study or work at seven different universities and schools. The company, Instructure, paid money to the hackers. The hackers said they deleted the data. But the government is angry. They say paying money is bad because it does not stop future attacks. The government tells schools to check their security. They say schools must delete secret information from the website. This website had two big security problems.

Conclusion

The government is watching the situation. They tell schools to be careful with their data.

Learning

πŸ’‘ The 'Action' Pattern

Look at how the text describes things happening. To reach A2, you need to know how to describe simple actions in the past and present.

1. Things that already happened (Past)

  • stole β†’ took without asking
  • attacked β†’ tried to break in
  • paid β†’ gave money
  • deleted β†’ removed

2. Things happening now or always (Present)

  • says β†’ speaks/writes
  • is β†’ state of being
  • tells β†’ gives a direction

πŸ› οΈ Useful Word Pairs

In this story, we see words that work together to make a clear point. Try to learn them as a pair:

  • Stole + Information
  • Paid + Money
  • Delete + Data
  • Check + Security

⚠️ Important Note

Notice the word "Because". It connects a result to a reason: Paying money is bad β†’\rightarrow because β†’\rightarrow it does not stop future attacks.

Vocabulary Learning

government (n.)
The group that runs a country or region.
Example:The government decided to improve school security.
office (n.)
A place where people work, usually in a building.
Example:She works in a government office.
says (v.)
To speak or write something.
Example:The officer says that the hackers are still a threat.
hackers (n.)
People who break into computer systems illegally.
Example:Hackers stole data from many schools.
stole (v.)
To take something without permission.
Example:They stole names and emails from the database.
information (n.)
Facts or details about something.
Example:The stolen information included students' emails.
website (n.)
A page on the internet that people can visit.
Example:The Canvas learning website was attacked.
school (n.)
A place where children learn.
Example:Many schools are affected by the data breach.
problem (n.)
An issue or difficulty.
Example:The schools have a serious problem with security.
attack (v.)
To harm or damage something, especially a computer system.
Example:Hackers attacked thousands of schools worldwide.
name (n.)
A word or words by which a person is known.
Example:The hackers stole many names from the database.
email (n.)
A message sent electronically through the internet.
Example:Emails of students were also stolen.
study (v.)
To learn or investigate something.
Example:Students study at university and high school.
work (v.)
To perform a job or task.
Example:Many people work at the same university.
university (n.)
A higher education institution where students learn advanced subjects.
Example:Some of the people belong to different universities.
company (n.)
An organization that makes or sells goods or services.
Example:The company paid money to the hackers.
pay (v.)
To give money in exchange for something.
Example:They paid the hackers to delete the data.
money (n.)
Currency used for buying goods or services.
Example:The company paid a large amount of money.
delete (v.)
To remove something, especially from a computer.
Example:The hackers deleted the stolen data.
data (n.)
Facts and information collected for analysis.
Example:The stolen data included names and emails.
angry (adj.)
Feeling strong displeasure or annoyance.
Example:The government is angry about the breach.
stop (v.)
To bring an action to an end.
Example:Paying money does not stop future attacks.
future (n.)
The time that will come after the present.
Example:They want to protect against future threats.
tell (v.)
To communicate information to someone.
Example:The government tells schools to check security.
must (modal)
Indicates necessity or obligation.
Example:Schools must delete secret information.
check (v.)
To examine or inspect something.
Example:Check your website for security problems.
security (n.)
Protection against danger or theft.
Example:Good security keeps data safe.
secret (adj.)
Not known or shared with others.
Example:The website had secret information that was stolen.
big (adj.)
Large in size or importance.
Example:The security problems were big.
watch (v.)
To look at something carefully.
Example:The government is watching the situation.
situation (n.)
A set of circumstances or conditions.
Example:The current situation is still uncertain.
careful (adj.)
Paying attention to avoid mistakes or danger.
Example:Be careful with your data online.
B2

Cybersecurity Breach of Canvas Platform Affects Hong Kong Schools

Introduction

The Office of the Privacy Commissioner for Personal Data (PCPD) has reported a major data breach involving the Canvas learning platform, which has affected seven local institutions.

Main Body

This incident was part of a global cyberattack that targeted about 9,000 educational institutions, leading to the theft of 3.5 terabytes of data from 275 million users. In Hong Kong, the breach affected 72,571 people across several institutions, including the Hong Kong Polytechnic University and City University of Hong Kong. The stolen information includes names, email addresses, user IDs, and student identification numbers. There is a clear disagreement between the platform developer, Instructure, and the PCPD. Instructure claimed that they reached an agreement with the hackers, known as 'ShinyHunters,' and received confirmation that the data was destroyed. However, Privacy Commissioner Ada Chung strongly criticized the decision to potentially pay a ransom. She emphasized that paying illegal groups is counterproductive and argued that money should instead be spent on improving cybersecurity. Furthermore, she warned that paying ransoms might encourage more attacks and does not guarantee that all data has been recovered. To address these risks, the PCPD has advised schools to perform full security reviews and remove sensitive data from the platform. This is especially important because the platform has been hacked twice. Additionally, the Commissioner mentioned a separate concern regarding Instagram's decision to stop using end-to-end encryption for messages, suggesting that users should back up and delete their data.

Conclusion

The PCPD is continuing to monitor the situation and is urging institutions to improve their security and stay alert for phishing attempts.

Learning

⚑ The 'B2 Leap': Moving from Simple to Complex Logic

At an A2 level, you describe things using simple sentences: "The company paid the hackers. The Commissioner was angry."

To reach B2, you must stop using a series of short sentences and start using Contrastive Connectors. This allows you to show two opposing ideas in one sophisticated thought.

πŸ” The Linguistic Goldmine

Look at this shift from the text:

*"Instructure claimed that they... received confirmation that the data was destroyed. However, Privacy Commissioner Ada Chung strongly criticized the decision..."

The Logic: Instead of just saying "And then this happened," the writer uses "However" to signal a conflict. This is the hallmark of B2 fluency: the ability to argue and contrast.

πŸ› οΈ Practical Upgrade Path

A2 Style (Simple)B2 Style (Sophisticated)The 'Bridge' Tool
The platform was hacked. It is still used.The platform was hacked; nevertheless, it is still used.Nevertheless (Formal contrast)
Paying hackers is fast. It is dangerous.While paying hackers is fast, it is dangerous.While (Comparing two facts)
They wanted the data back. They paid money.They wanted the data back; consequently, they paid money.Consequently (Showing result)

πŸ’‘ Pro-Tip for Growth

Notice the phrase "counterproductive." An A2 student says: "It does not help." A B2 student says: "It is counterproductive."

Challenge your brain: Whenever you want to say something "is not good" or "does not work," try to find one specific adjective (like counterproductive, inefficient, or risky) to replace the whole phrase. This is how you move from 'basic communication' to 'academic precision'.

Vocabulary Learning

breach (n.)
An event where unauthorized individuals gain access to protected information.
Example:The bank suffered a breach that exposed customers' personal data.
cyberattack (n.)
An offensive operation carried out using computers or networks to damage or disrupt systems.
Example:The government launched a countermeasure after the cyberattack on the power grid.
targeted (adj.)
Chosen as a specific focus or aim.
Example:The new policy targets small businesses that are most vulnerable to fraud.
theft (n.)
The act of taking something that belongs to someone else without permission.
Example:The theft of the company's trade secrets cost them millions.
terabyte (n.)
A unit of digital information equal to about one trillion bytes.
Example:The backup system can store up to 10 terabytes of data.
stolen (adj.)
Taken illegally or without permission.
Example:The stolen documents were found in a hidden folder.
information (n.)
Facts or data that are communicated or received.
Example:She shared useful information about the upcoming event.
disagreement (n.)
A lack of agreement or a conflict of opinions.
Example:Their disagreement over the contract terms delayed the signing.
agreement (n.)
A mutual understanding or arrangement between parties.
Example:They signed an agreement to collaborate on research.
hackers (n.)
Individuals who use computers to break into systems illegally.
Example:The hackers exploited a vulnerability in the software.
confirmation (n.)
The act of verifying or affirming something.
Example:The confirmation of the appointment was sent via email.
criticized (v.)
Expressed disapproval or pointed out faults.
Example:She criticized the report for its lack of detail.
counterproductive (adj.)
Having the opposite effect of what is intended.
Example:The new policy turned out to be counterproductive, increasing errors.
cybersecurity (n.)
The practice of protecting computers and networks from attacks.
Example:Cybersecurity measures are essential for protecting sensitive data.
guarantee (v.)
To promise or assure that something will happen.
Example:They guarantee that the product will last for five years.
remove (v.)
To take away or eliminate.
Example:Please remove the outdated files from the server.
sensitive (adj.)
Information that must be protected because it could cause harm if disclosed.
Example:Sensitive personal data should be encrypted.
encryption (n.)
The process of converting information into a coded form to prevent unauthorized access.
Example:The email uses encryption to keep the message private.
phishing (n.)
A fraudulent attempt to obtain sensitive information by disguising as a trustworthy entity.
Example:Phishing emails often ask for passwords.
monitor (v.)
To observe and check the progress or quality of something over time.
Example:We will monitor the system for any unusual activity.
C2

Cybersecurity Breach of Canvas Platform Affecting Hong Kong Educational Institutions

Introduction

The Office of the Privacy Commissioner for Personal Data (PCPD) has reported a significant data breach involving the Canvas learning platform, impacting seven local institutions.

Main Body

The breach constitutes a component of a global cyberattack targeting approximately 9,000 educational institutions, resulting in the compromise of 3.5 terabytes of data from 275 million users. Within the Hong Kong jurisdiction, the incident affected 72,571 individuals across the Hong Kong Polytechnic University, the Hong Kong Institute of Construction, Hong Kong Education City Limited, the Hong Kong University of Science and Technology, the Hong Kong Academy for Performing Arts, Hong Kong Art School, and City University of Hong Kong. Compromised data categories include names, email addresses, user identifiers, departmental affiliations, and student identification numbers. Stakeholder positioning reveals a divergence between the platform developer, Instructure, and the PCPD. Instructure reported that an agreement was reached with the threat actor, identified as 'ShinyHunters,' following which the company received digital confirmation of data destruction. Conversely, Privacy Commissioner Ada Chung expressed strong condemnation regarding the potential payment of ransoms. The PCPD posits that such financial concessions to illegal entities are counterproductive, suggesting that resources should be redirected toward the fortification of cybersecurity infrastructure. Furthermore, the Commissioner highlighted the systemic risks associated with ransom payments, noting that such actions may incentivize subsequent attacks and provide no empirical guarantee of total data recovery or the absence of unauthorized backups. In response to the vulnerability, the PCPD has advised institutions to execute comprehensive security reviews and purge sensitive data from the platform. This directive follows the observation that the platform has been compromised on two separate occasions. Additionally, the Commissioner noted a separate concern regarding Instagram's decision to discontinue end-to-end encryption for messaging as of May 8, recommending that users implement data backup and deletion protocols.

Conclusion

The PCPD continues to monitor the situation while urging institutions to enhance their security posture and remain vigilant against potential phishing attempts.

Learning

The Architecture of Nominalization and Lexical Precision

To ascend from B2 to C2, a student must migrate from narrative prose (focusing on who did what) to conceptual prose (focusing on states, processes, and systemic relationships). The provided text is a masterclass in Nominalizationβ€”the process of turning verbs or adjectives into nouns to create a high-density, objective academic tone.

⚑ The 'C2 Pivot': From Action to Entity

Observe the shift in the text's logic. A B2 writer describes an event; a C2 writer describes a phenomenon.

  • B2 Approach (Verbal/Linear): "The platform was breached and this affected many people, which caused a divergence in how the developer and the commissioner felt about it."
  • C2 Approach (Nominalized/Static): "Stakeholder positioning reveals a divergence between the platform developer... and the PCPD."

By turning the act of 'positioning' (verb) and 'diverging' (verb) into nouns, the author creates a stable conceptual object that can then be analyzed. This is the hallmark of professional discourse.

πŸ” Deconstructing High-Value Lexis

The text employs specific collocations that signal institutional authority. Note the precision of these pairings:

Fortification of infrastructure β†’\rightarrow Not just "making it stronger," but a systemic reinforcement. Empirical guarantee β†’\rightarrow Not just "proof," but a guarantee based on observable, verifiable evidence. Systemic risks β†’\rightarrow Risks that are inherent to the entire structure, rather than isolated incidents.

πŸ› οΈ Analytical Application

To mirror this style, replace causal conjunctions (like because or so) with Abstract Noun Phrases.

Transformation Exercise (Mental Model): Instead of saying "Because they paid the ransom, more attacks might happen," use the text's logic: "Such actions may incentivize subsequent attacks."

Key Takeaway for C2 Mastery: Stop telling a story about what happened. Start describing the implications of the event using nouns as the primary drivers of your sentences.

Vocabulary Learning

divergence (n.)
The state of being different or inconsistent.
Example:The divergence between the two reports highlighted significant inconsistencies.
counterproductive (adj.)
Having the opposite effect of what is intended.
Example:Offering a ransom was counterproductive, potentially encouraging future attacks.
fortification (n.)
The act of strengthening or the state of being fortified.
Example:The company invested heavily in the fortification of its network against cyber threats.
systemic (adj.)
Relating to or affecting an entire system.
Example:The systemic risks posed by ransomware demand comprehensive safeguards.
vulnerability (n.)
A weakness that can be exploited.
Example:The recent breach exposed a critical vulnerability in the platform's authentication module.
vigilant (adj.)
Watchful and alert to potential danger.
Example:Security teams remained vigilant after the second compromise.
phishing (n.)
Fraudulent attempt to obtain sensitive information.
Example:Phishing attempts often masquerade as legitimate emails to trick users.
jurisdiction (n.)
The official power to make legal decisions.
Example:The incident fell under the jurisdiction of Hong Kong's privacy authorities.
compromise (v.)
To give in or to weaken security.
Example:The attackers compromised the database, gaining access to sensitive data.
infrastructure (n.)
The basic physical and organizational structures needed.
Example:Upgrading the cybersecurity infrastructure is essential for resilience.