Canvas cyberattack: NUS, SIM, NTUC LearningHub ask users to reset passwords as added precaution

SINGAPORE – The National University of Singapore (NUS), Singapore Institute of Management (SIM) and NTUC LearningHub have asked their users to reset their passwords as an added precaution following a global data breach.

In an e-mail sent on May 10 and seen by The Straits Times, NUS said staff and students who had previously logged in to Canvas should reset their NUS passwords.

Affected users will be prompted to do so when they next access NUS IT services, including their e-mails, VPN or other systems requiring NUS authorisation.

As it continues to monitor the situation, NUS said Canvas has been placed under controlled access, adding that only selected users who require Canvas for critical academic or operational purposes will be granted access.

The measure will be in effect from May 11 to 14. NUS added that it will review the situation on May 14 to see if an extension is necessary.

“These steps are intended to mitigate the risk of unauthorised access during this period of increased vigilance,” said NUS.

Separately, SIM sent out an e-mail to its alumni on May 9 advising them to change their passwords on SIM platforms.

It added that they should also make the change on all other accounts where the same password is used.

They should also check the login page before entering their credentials and look out for unusual signs, including unexpected messages, pop-ups or prompts for unfamiliar information, SIM said.

“Be alert to phishing. Expect scam e-mails or messages referencing Canvas, your SIM e-mail or your student ID. Do not click links in suspicious messages,” the e-mail read. SIM also advised its alumni to avoid logging in from public or shared devices.

In an e-mail sent on the evening on May 11, NTUC LearningHub confirmed that its Canvas platform account was affected by the data breach.

It said: “Based on our current assessment, the impact to our learners is minimal, as we only use Canvas for courseware distribution and assessments.

“The information stored on the platform is limited to learners’ names and email addresses, with mobile numbers collected for only a very small group of learners.”

NUS, SIM and NTUC LearningHub were among many local and international institutions affected by a massive cyberattack on May 7. The attack, claimed by cyberextortion group ShinyHunters, resulted in access to the Canvas learning platform being blocked.

In response to media queries, an NUS spokesperson said on May 9 that the data breach comprised names, e-mail addresses and matriculation numbers. “No other sensitive personal information, including login credentials, is compromised,” NUS had said.

The Singapore College of Insurance, Institute of Singapore Chartered Accountants, The Learning Lab, KLC International Institute and The Learning Space SG were also named in a list of organisations allegedly hit by a global data breach seen online on May 8.