U of W says student, faculty info stolen in cyberattack Credit-monitoring service offered for two years to combat identity theft
Read this article for free:
or
Already have an account? Log in here »
To continue reading, please subscribe:
Digital Subscription
One year of digital access for only $75*
- Enjoy unlimited reading on winnipegfreepress.com
- Read the E-Edition, our digital replica newspaper
- Access News Break, our award-winning app
- Play interactive puzzles
*Billed as $5.77 plus GST every four weeks. After 52 weeks, price increases to the regular rate of $19.95 plus GST every four weeks. Offer available to new and qualified returning subscribers only. Cancel any time.
Monthly Digital Subscription
$4.99/week*
- Enjoy unlimited reading on winnipegfreepress.com
- Read the E-Edition, our digital replica newspaper
- Access News Break, our award-winning app
- Play interactive puzzles
*Billed as $19.95 plus GST every four weeks. Cancel any time.
To continue reading, please subscribe:
Add Free Press access to your Brandon Sun subscription for only an additional
$1 for the first 4 weeks*
- Enjoy unlimited reading on winnipegfreepress.com
- Read the E-Edition, our digital replica newspaper
- Access News Break, our award-winning app
- Play interactive puzzles
*Your next Brandon Sun subscription payment will increase by $1.00 and you will be charged $17.95 plus GST for four weeks. After four weeks, your payment will increase to $24.95 plus GST every four weeks.
Read unlimited articles for free today:
or
Already have an account? Log in here »
Hey there, time traveller!
This article was published 04/04/2024 (832 days ago), so information in it may no longer be current.
Cyber thieves have stolen decades’ worth of personal and financial information from students and faculty members at the University of Winnipeg, which was forced to delay exams in response to the attack in late March.
University officials confirmed data from an internal file server was compromised, as they updated the campus community Thursday.
The stolen data includes names, birthdates, street addresses, social insurance numbers, tuition amounts and employee salary information.
“Our community has been subject to a cyber crime. It is disturbing that higher education institutions like the university and other public-sector organizations are being targeted by cyberattacks,” the university said.
“This has been a terrible incident that has directly impacted our community, and for that we are deeply sorry. Rest assured that we will carefully consider the results of our investigation with a commitment to emerge from this incident with stronger cyber defences.”
The university has compiled a list of students and faculty members whose information is believed to have been compromised.
It includes an assortment of current and former students and staff, with some of the affected data dating back to 2003.
The institution is continuing to investigate which groups are affected. It said it will provide further updates as they become available, but noted “this investigation may take time, possibly months.”
The Winnipeg Police Service, Canadian Centre for Cybersecurity and Manitoba’s ombudsman have been notified, the university said.
Demographic and type of information likely affected by cyberattack
Names, social insurance numbers, dates of birth, street addresses, phone numbers, and compensation information of all current and former staff employed since 2003
- Names, social insurance numbers, dates of birth, street addresses, phone numbers, and compensation information of all current and former staff employed since 2003
- Bank account information of all current and former employees since 2015
- Names programs of study, street addresses, student numbers, dates of birth, social insurance numbers (domestic students only), fee and tuition amounts, gender information, and marital status information of all students enrolled in undergraduate and graduate proframs since September 2018
- Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers (domestic students only), and tuition amounts for all students enrolled in professional, applied and continuing education and English language programs since September 2019
- Names, street addresses, social insurance numbers (domestic students only) and funding amounts for all students to whom the University issued T4A forms since 2016
- It is unclear whether university donors’ information was compromised
While news of the data theft slowly spread across campus Thursday afternoon, students studying or having a beer at the school’s Elements restaurant could be heard discussing the possible consequences.
Thomas Hepworth, 20, a third-year physics student who also works as a teacher’s assistant, was doubly affected by the hack.
“My bank information as well as my entire identity is compromised,” he said. “(Last week) they said, ‘We think it’s fine, we don’t think data is compromised.’ What they should have done is act like it was so we could change things as needed.”
Meanwhile, biology professor Scott Forbes was busy changing his passwords.
“This is an absolute nightmare,” he said. “All the information needed for identity theft is now in the public domain.”
Forbes’ entire family was affected by the hack; both his wife and two sons attended the school in the years from which the data was stolen, he said.
Forbes suspected his data had been compromised when, on Saturday, his personal iPad sent him an alert saying some of his passwords were involved in a data breach.
“This is an absolute nightmare. All the information needed for identity theft is now in the public domain.”–Scott Forbes, biology professor
The professor said it would have been prudent for the university to advise those potentially affected to take steps to protect their online identities while the attack was being investigated.
He questioned why the institution collects social insurance numbers from students in the first place.
“How many people will be setting up mortgages in my name?” he said. “I’m going to be watching over my shoulder for the rest of my life.”
The university is offering to cover the cost of credit monitoring for affected students and staff for two years, which will help protect them from identity fraud. People who register for the service will receive an immediate alert if someone tries to open a credit account under their name.
The credit program is “one of the best means of protecting yourself,” said the university. “We are not recommending that employees and former employees attempt to change their bank account numbers or their other identification numbers, and social insurance numbers cannot be changed without evidence of actual misuse.”
The institution will not be compensating those affected, but said the credit program service includes insurance. Anybody who suspect they are a victim of identity theft linked to the breach should notify the university immediately, it said.
Enrolment codes and instructions were to be mailed and emailed to affected employees and students in the coming days, it said.
Mathieu Manaigre, founder and CEO of Winnipeg-based Avenir IT, urged potential victims to take advantage of the credit monitoring service.
He advised them to change any information that may have been compromised, including bank account numbers.
“I would be proactive and deal with this now,” he said.
Hackers typically use phishing emails or messages to dupe people into sharing information that enables them to gain access to computer data.
“If someone clicks on an email and shares the wrong information, the bad guys get in, and they can go undetected for a long time,” said Manaigre.
A cyberattack on the University of Winnipeg was discovered March 24. (MIKAELA MACKENZIE / FREE PRESS FILES)
The university first detected the attack on March 24, but the latest update suggests the theft likely occurred a week earlier.
“If they’re stealing data, it’s to be sold on the dark web,” Manaigre said, adding it’s a very lucrative scheme for criminals.
Although the public has become better educated on the risks, data theft remains among the most common form of cyberattacks, he said.
“However, the fact that it happened to the University of Winnipeg, it kind of hits home a little bit more,” he said.
Faculty members have already started discussing new best practices to ensure that sensitive data cannot be exposed in a similar way again, said Peter Miller, president of the University of Winnipeg Faculty Association.
“We are going to be looking to meet with the employer as soon as possible to discuss it in more depth,” he said.
The university has published updates about the incident almost daily since it was discovered.
When administration confirmed personal data had been stolen, Miller immediately phoned his credit union. The employee on the other line told him they had already fielded similar calls from other university employees, he said.
“With this sort of thing, there is always going to be confusion and stress and anxiety. I don’t think it can be erased, no matter the scale of communication,” he said.
“I think we, every faculty member and employee, will want to have that transparency continue, especially now that we know it’s not just a major inconvenience.”
Christine Quiah, University of Winnipeg Students Association vice-president of student affairs, said the revelation is unsettling because some of the data that was stolen is particularly sensitive.
“If it gets leaked, we don’t know who will get to know this information, which may be harmful for students.”–Christine Quiah, U of W Students Association vice-president
She pointed to home addresses, gender information and social insurance numbers, as examples.
“If it gets leaked, we don’t know who will get to know this information, which may be harmful for students. Now that we know what’s been exposed, I’m sure the university will take (action),” she said.
Classes at the downtown campus and the nearby University of Winnipeg Collegiate were cancelled March 25, as technicians worked to restore the Wi-Fi network and regain access to a raft of critical academic services.
More than 9,000 students are enrolled at the university.
Final exams, which were originally slated to begin next Thursday, were later pushed back to April 18 as the institution tried to cope with the fallout.
Residence move-out day was also extended to May 3.
Officials announced Wednesday that Nexus — a learning management system used to disseminate curriculum and store grades — had been restored.
The students association will help guide students through the credit monitoring program enrolment process, Quiah said.
The university has a support line available from 8:30 a.m. to 4:30 p.m. (204-786-9325) and an email account at incident.support@uwinnipeg.ca.
—with files from Nicole Buffie and Chris Kitching
tyler.searle@freepress.mb.ca
Tyler Searle is a multimedia producer who writes for the Free Press’s city desk. A graduate of Red River College Polytechnic’s creative communications program, he wrote for the Stonewall Teulon Tribune, Selkirk Record and Express Weekly News before joining the paper in 2022. Read more about Tyler.
Every piece of reporting Tyler produces is reviewed by an editing team before it is posted online or published in print — part of the Free Press‘s tradition, since 1872, of producing reliable independent journalism. Read more about Free Press’s history and mandate, and learn how our newsroom operates.
Our newsroom depends on a growing audience of readers to power our journalism. If you are not a paid reader, please consider becoming a subscriber.
Our newsroom depends on its audience of readers to power our journalism. Thank you for your support.
History
Updated on Thursday, April 4, 2024 4:35 PM CDT: Adds background, quotes from Christine Quiah
Updated on Thursday, April 4, 2024 7:20 PM CDT: Updates throughout
Updated on Thursday, April 4, 2024 9:52 PM CDT: updates recommendations