SINGAPORE (The Straits Times/ANN): A number of local institutions, including the National University of Singapore and the Singapore Institute of Management (SIM), have been named in a list of organisations allegedly hit by a global data breach seen online on May 8.
The Singapore College of Insurance, the Institute of Singapore Chartered Accountants (ISCA), NTUC LearningHub, The Learning Lab, KLC International Institute and The Learning Space SG were also listed.
Thousands of institutions, including Harvard University and Stanford University, were hit by a massive cyberattack on May 7, following an earlier data breach.
The attack, which blocked access to the Canvas learning platform, was claimed by ShinyHunters, a well-known cyberextortion group active since at least 2019.
In a message allegedly sent by ShinyHunters and seen on forum platform Reddit, the affected institutions are threatened with the release of stolen data.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyberadvisory firm and contact us privately at TOX to negotiate a settlement,” read the statement.
TOX refers to a peer-to-peer messaging platform.
The institutions are given a deadline of May 12 before “everything is leaked”.
The message included a link to a list of schools allegedly breached by the hackers through Canvas.
Instructure, the US-based education technology company behind the Canvas system, confirmed on May 2 that it had suffered a cyberattack.
“Indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, e-mail addresses and student ID numbers, as well as messages among users.
“At this time, we have found no evidence that passwords, dates of birth, government identifiers or financial information were involved,” it said.
In an update on May 6, the company said that Canvas was fully operational, and “we are not seeing any ongoing unauthorised activity”.
The Cyber Security Agency of Singapore said on May 8 that it is monitoring the situation.
“We have reached out to affected organisations to offer assistance and provide advice on mitigation measures,” it said in a statement.
SIM said in response to queries that it is closely monitoring the disruption affecting access to the Canvas learning platform together with Instructure, which is working to restore services as soon as possible.
“We understand the inconvenience and concern this has caused our students and faculty,” it added.
In the meantime, alternative arrangements will be implemented for affected students, the institution said on its website on May 8.
These include sending meeting links directly to students for Zoom lessons, potentially postponing deadlines for affected quizzes and assignments, and providing information on the retrieval of course materials.
For the ISCA, potentially affected data is limited to names and e-mail addresses associated with Canvas, said a spokesperson for the institute on May 8 in response to media queries.
“There is no indication that other sensitive data like NRIC or FIN numbers have been compromised.”
There has been no disruption to the institute’s core systems or operations as its internal systems do not have continuous data synchronisation with Canvas, said the spokesperson.
Its internal systems remain secure and unaffected as the data breach is confined to the Canvas learning management system, added the spokesperson.
“Teaching, training and member services have not been disrupted. Members continue to have access to learning and professional development resources.”
Canvas had been one of several platforms supporting the institute’s e-learning delivery, said the spokesperson. The institute has been progressively transitioning its digital learning services to internally managed platforms over the past year.
It added that it has consulted its legal advisers and will be notifying the Personal Data Protection Commission as a precautionary measure.
“We are continuing to work with the relevant parties to verify and close out the matter thoroughly,” it said. -- The Straits Times/ANN
Meanwhile, the Singapore College of Insurance said its systems are unaffected and that it is not aware of any data compromise involving it or its students.
“While the incident did not occur within SCI’s systems, we are taking the matter very seriously and are in close contact with the vendor, including being regularly apprised of the progress of their investigations,” it said.
It added that arrangements have been implemented to ensure programmes continue to be delivered and that students have access to learning materials. -- The Straits Times/ANN
