Cybersecurity Notice: Instructure (Canvas) Security Incident

14 . 05 . 2026

As you may be aware, Instructure, the company that develops and operates Canvas, recently reported a cybersecurity incident. The Academy adopts Canvas for its eHKAM Learning Management System (LMS), which has been affected.  The Academy would like to provide the following information and latest updates to Fellows and eHKAM LMS users.

We have been following up with Instructure, aiming to ascertain whether any personal data of our LMS users may have been compromised. Based on the latest reply from Instructure, the exact impact on the Academy (if any) is yet to be available. Instead, Instructure has provided an update lately that the security incident has been settled after it has reached an agreement with the unauthorized actor involved in this incident.

Current status of the eHKAM LMS
Canvas is now fully restored and operational and safe to use.

eHKAM Login Credentials 
Please be assured that your eHKAM account remains protected. The eHKAM LMS login uses Single Sign-On (SSO), which means your login credentials are not stored within the Canvas system. At this stage, there is no indication that passwords or Academy login credentials have been compromised.

Stay alert for phishing emails
Please remain vigilant against phishing emails that may appear to be related to Canvas or the eHKAM LMS. In particular:

  • Genuine Canvas notification emails are sent from: [email protected]
  • Do not click suspicious links or open unexpected attachments
  • Avoid entering your credentials through links in emails. Always access Canvas directly via the official login page: eHKAM LMS Login Page

Precautionary measures taken by the Academy
To further safeguard our users and systems, the Academy has implemented the following precautionary measures:

  1. Password reset for non-eHKAM accounts
    All non-eHKAM users are required to change their passwords. Based on the information currently available from Instructure, there is no evidence of password leakage at this stage.
  2. Reset of passphrases used for system integration
    At the backend, all relevant passphrases have been reset by our IT colleagues to reduce the risk of unauthorized access and to help prevent potential data leakage in line with cybersecurity best practices.

The Academy treats cybersecurity and the protection of user information as a top priority. We are closely monitoring the situation and will provide further updates as appropriate.

If you encounter any suspicious situation (e.g. suspicious emails/messages, unusual login prompts, or unexpected account activity), please report it to us immediately at [email protected].