Students’ names, IDs ‘may have been exposed’ in Canvas cyberattack but passwords, marks safe: NUS
Sign up now: Get ST's newsletters delivered to your inbox
In a May 8 e-mail, NUS told students their passwords and marks remained secure amid the global data breach.
PHOTO: ST FILE
SINGAPORE – The National University of Singapore (NUS) has informed its students that while some information such as their names and e-mail addresses may have been exposed in a global data breach, their confidential information such as passwords has not been compromised.
NUS was one of many local and international institutions affected by the massive cyberattack on May 7. The attack, claimed by cyberextortion group ShinyHunters, saw access to the Canvas learning platform blocked, reported AFP.
In a May 8 e-mail to students about what it called the “data security incident” involving the Canvas “learning management system” seen by The Straits Times, NUS said it was working with Instructure to “thoroughly investigate and assess the situation”. Instructure is the US-based vendor that owns and runs Canvas.
Attributing the information to Instructure, NUS added that the data “that may have been exposed is limited to: name, e-mail address, student ID”.
“We would like to assure you that your NUS log-in credentials such as passwords have not been compromised, and all student marks remain secure,” it added.
In a reply to ST queries on May 9, NUS said: “Operational impact is assessed to be minimal as the current semester has concluded and all examinations have ended.
“We have in place backup and business continuity processes to ensure downstream activities such as marking and grading proceed unaffected.”
The Singapore University of Social Sciences (SUSS) also told ST on May 9 that “access to Canvas has been restored and there has been no significant disruption to SUSS’ overall operations”.
As an additional precaution, both NUS and SUSS advised students to stay alert and vigilant.
Students were urged not to reply to suspicious e-mails, messages or phone calls, to refrain from sharing personal information or log-in details, and to change passwords and enable multi-factor authentication where available.
SUSS added that it was reviewing relevant access controls and security configurations.
The Singapore Institute of Management, the Singapore College of Insurance, the Institute of Singapore Chartered Accountants, NTUC LearningHub, The Learning Lab, KLC International Institute and The Learning Space SG were among the other local institutions affected by the data breach.
Thousands of foreign institutions, including Harvard University and Stanford University, were hit by the attack.
Some schools and universities whose students’ information was stolen individually sought to deal directly with the hackers to prevent data release, a source familiar with the matter told Reuters on May 8.
In a message allegedly sent by ShinyHunters and seen on forum platform Reddit, the affected institutions were threatened with the release of stolen data.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult a cyberadvisory firm and contact us privately at TOX to negotiate a settlement,” read the statement. TOX is a peer-to-peer messaging platform.
The institutions were given a deadline of May 12 before “everything is leaked”. The message included a link to a list of schools allegedly breached by the hackers through Canvas.
The Cyber Security Agency of Singapore (CSA) said on May 8 that it is monitoring the situation and has offered assistance and advice to affected organisations.
ST has contacted CSA for more information.
- Additional reporting by Rhea Yasmine, Wong Man Shun
