Date: 15 May 2026
Privacy Commissioner’s Office Reminds Affected Organisations and
the Public to Safeguard Personal Data Privacy
In Relation to the Canvas Data Breach Incident
As regards the data breach incident involving the online learning management platform Canvas, the Office of the Privacy Commissioner for Personal Data (PCPD) has received data breach notifications from seven organisations — The Hong Kong Polytechnic University, The Hong Kong Institute of Construction, Hong Kong Education City Limited, The Hong Kong University of Science and Technology, The Hong Kong Academy for Performing Arts, Hong Kong Art School and City University of Hong Kong. Upon receipt of the data breach notifications, the PCPD has recommended the relevant organisations to promptly notify the affected data subjects, and has provided advice on the remedial measures that can be taken by the organisations to mitigate the possible impact of the incident.
Despite that the operator of the relevant platform announced that the unauthorised actor has returned the compromised data to them, the PCPD reminds users who are possibly affected by the incident to remain vigilant and guard against possible misuse of their personal data. To protect personal data privacy, the PCPD recommends affected users take the following measures:-
-
Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, including text messages or emails purportedly sent from the Canvas platform, and refrain from opening attachments, links or disclosing personal data arbitrarily;
-
Be vigilant against phishing or other possible scams;
-
Consider changing the user credentials of their Canvas accounts and other online accounts, and enable multi-factor authentication function (if available);
-
Beware of any unusual logins to their personal emails, Canvas accounts or other accounts; and
-
If they suspect that they may be affected, they may make enquiries with the relevant organisations or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk).
If any organisations which suspect that they may be affected by the incident and require assistance, they are welcome to contact the PCPD. The PCPD also recommends that potentially affected organisations adopt the following remedial measures:-
-
Conduct a comprehensive security review of their information systems (including the affected platform) before resuming use of the platform;
-
Where practicable, segregate the affected platform from other information systems;
-
Monitor relevant system logs for anomalous activities, including unusual login activities and large-scale data exports;
-
Remove or minimise sensitive data stored on the platform; and
-
Apply security scanning to all data or content exported from the affected platform.