Skip to content

Media Responses

Response to Media Enquiry or Report

Date: 13 May 2026

Response to media enquiry on the follow-up of the data breach incident of Canvas 

Enquiry:
“We learned that Instructure, parent company of Canvas, has reached an agreement with the hacker.
 
I have following inquiries:
  1. What is the latest figure on the number of cases calling for assistance regarding the Canvas data breach?
  2. What is the breakdown of follow-up status of these cases, if any?
  3. What are PCPD's responses to the incident?”
Answers (Questions 1-3):
  • As of 13 May 2026, the Office of the Privacy Commissioner for Personal Data received data breach notifications from seven institutions — The Hong Kong Polytechnic University, The Hong Kong Institute of Construction, Hong Kong Education City Limited, The Hong Kong University of Science and Technology, The Hong Kong Academy for Performing Arts, Hong Kong Art School and City University of Hong Kong.
     
  • Upon receipt of the data breach notifications, the PCPD has recommended the relevant organisations to promptly notify the affected data subjects, and has provided advice to the organisations on the remedial actions to be taken to mitigate the impact of the incident.
     
  • For organisations which may be affected by the incident, the PCPD recommends the following remedial actions:-
    • Conduct a comprehensive security review of their information systems, including the affected platform, before resuming use of the platform;
    • Isolate the affected platform, where practicable, from other information systems;
    • System logs should be monitored for anomalous activities, including unusual login activities and large-scale data exports;
    • Any data or content exported from the platform should be subjected to appropriate security scanning; and
    • Remove or minimise sensitive data stored on the platform.
       
  • The PCPD appeals to the affected data subjects to remain vigilant about potential theft of their personal data. To protect personal data privacy, affected data subjects are advised to take the following measures:-
    • Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, do not open attachments or disclose personal data arbitrarily;
    • Be vigilant against phishing or other possible scams;
    • Consider changing the user credentials of Canvas account and other online accounts and activate the multi-factor authentication function (if available);
    • Beware of any unusual logins of personal emails, the Canvas account or other accounts; and
    • If affected data subjects are in doubt about whether their personal data have been leaked, they may make enquiries with the relevant organisations or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk).