Thousands of staff, students have sensitive data stolen in University of Winnipeg hack

The University of Winnipeg in Canada has confirmed that hackers stole sensitive information from the institution in an incident that took place late last month, affecting former and current students and staff.

The university, which has more than 18,000 students and 800 staff, said in a statement on Thursday that “the stolen information likely includes the personal information of current and former students and employees.”

The cyber incident was first announced on March 25, when the institution took a range of services offline. A few days later, the university’s president and vice-chancellor, Dr. Todd Mondor, said that Winnipeg had been hit by “a targeted cyber attack on the University’s network.”

The investigation is ongoing and “may take time, possibly months” according to the university, which currently believes the attackers were able to access a file server. The nature of the cyber incident hasn’t been confirmed, but the university stated “the theft most likely occurred in the week before March 24th.”

On an additional webpage, the institution announced what data had been exposed and from which cohorts. It includes the “names, social insurance numbers, dates of birth, street addresses, phone numbers, and compensation information” of all current and former employees since 2003, with everyone employed since 2015 also having their bank account information seized.

Students who enrolled in the university since 2018 have had their “names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers (domestic students only), fee and tuition amounts, gender information, and marital status information” exposed.

The university said it will be providing the affected individuals with a two-year credit monitoring service and encouraged all of those affected to enroll, noting it also comes with insurance provisions for anyone subsequently targeted by fraudsters.

“Our community has been subject to a cyber crime. It is disturbing that higher education institutions like the University and other public sector organizations are being targeted by cyber attacks,” the institution stated.

“This has been a terrible incident that has directly impacted our community, and for that we are deeply sorry. Rest assured that we will carefully consider the results of our investigation with a commitment to emerge from this incident with stronger cyber defences.”