Personal data of University of Winnipeg staff stolen in cyberattack

'It's a lot of data, specific data, that can be used in a lot of nefarious ways'

Personal data of University of Winnipeg staff stolen in cyberattack

University of Winnipeg workers had their personal data stolen in a cyberattack that took place in March, the university said.

The learning institution confirmed the development a week after first notifying its workforce about the breach.

“We have been investigating since the cyber incident first came to our attention on March 24, 2024,” said the university in a news release. “We have now confirmed that data from a university file server has been stolen and that the stolen information likely includes the personal information of current and former students and employees.”

The attack likely happened in the week before March 24.

A mere 1% of organizations in Canada have achieved the level of cybersecurity readiness required to effectively defend against modern risks, according to a previous Cisco report.

Workers’ SINs, compensation information stolen

During the attack, cybercriminals took the names, social insurance numbers, dates of birth, street addresses, phone numbers and compensation information of all current employees and all former employees employed since 2003, the University of Winnipeg said.

Bank account information of all current employees and all former employees employed since 2015 were also stolen, it said.

Meanwhile, the following information were taken from all students enrolled in University of Winnipeg undergraduate and graduate programs since the academic year beginning in September 2018:

  • names
  • programs of study
  • street addresses
  • student numbers
  • dates of birth
  • social insurance numbers (domestic students only)
  • fee and tuition amounts
  • gender information
  • marital status information

"It's clearly highly serious.… It's a lot of data, specific data, that can be used in a lot of nefarious ways,” said Peter Miler, president of the University of Winnipeg Faculty Association, in a CBC report.

Nine in 10 data breaches in 2023 originated from phishing attacks targeting employees, as Secure Email Gateways (SEGs) struggle with more sophisticated phishing campaigns, according to a previous Cofense report.

University of Winnipeg investigating cyberattack

The University of Winnipeg is continuing its investigation of the cyberattack.

“We continue to investigate to determine whether others are affected, and will provide further notifications based on our findings,” it said. “This investigation may take time, possibly months. In the interim, we have notified both law enforcement and the Manitoba Ombudsman.”

Meanwhile, “as a proactive step”, the university will be providing affected individuals a two-year credit monitoring service. 

“This is a service that allows one to check for signs of identity fraud so protective action can be taken,” the learning institution said. “Enrolling in the credit monitoring service provides you with excellent protection as you can ensure you receive an alert immediately if anyone attempts to open a credit account in your name.”

The University of Winnipeg will begin emailing and mailing codes along with instructions about how to enrol in the service.

Current employees do not need to contact their employer. However, former workers of the university who would like to update their address, must send an email to [email protected].

Workers included in the affected groups must email [email protected] if they do not receive a code within two weeks.

The University of Winnipeg also vowed to improve its cybersecurity capabilities.

“Our community has been subject to a cyber crime. It is disturbing that higher education institutions like the University and other public sector organizations are being targeted by cyber attacks.” it said. “This has been a terrible incident that has directly impacted our community, and for that we are deeply sorry. Rest assured that we will carefully consider the results of our investigation with a commitment to emerge from this incident with stronger cyber defences.”

How can cyber security be improved in the workplace?

Brett Gallant, founder and director of Adaptive Office Solutions, shared, via LinkedIn, the following cybersecurity tips for employers to consider this year:

  • Practice a “zero trust” approach to online activities.
  • Address the cybersecurity talent shortage in your organization
  • Use artificial intelligence (AI) and automation to improve cybersecurity practices.
  • Cooperate with other companies on the cybersecurity front.

Four in five (80%) organisations feel "moderately to very confident" in their ability to remain resilient in an evolving cybersecurity landscape, according to a previous Cisco report.