U of W cyberattack a lesson for province: experts

Hey there, time traveller!
This article was published 10/04/2024 (545 days ago), so information in it may no longer be current.

A cyberattack that compromised decades of data at the University of Winnipeg should be a lesson for the provincial government, which has been advised to consider establishing uniform cybersecurity standards at public institutions.

“If standards are not mandated … it’s a matter of time before someone may break into your systems,” said security expert Hernan Popper, founder of Winnipeg-based Popp3r Cybersecurity Consulting Inc.

“It is something that policy from the government could help prevent.”

Popper said his daughter, a former student at the U of W, was among thousands of current and former students and staff who had personal information stolen during a cyberattack in late March.

University officials confirmed last week the stolen data includes names, birthdates, street addresses, social insurance numbers, tuition amounts and employee salary information. Some of the data dates back as far as 2003.

The school has offered affected students and staff access to a credit monitoring service for two years. Popper said it’s not enough.

“Those SIN numbers that were leaked, they will affect every single affected victim for the rest of their life,” he said. “(My daughter) is going to have to have her own processes and precautions in place in order to avoid further consequences from this breach.”

Provincial legislation requiring public institutions to protect personal and financial information already exists, but creating new regulations to ensure cybersecurity measures are maintained at the highest level might help prevent similar breaches, Popper said.

“Do you really need to keep private and confidential information for 21 years? That’s a question I don’t know the answer to, but this is information that was still in their system and was exfiltrated,” he said.

According to the university’s website “all universities must retain information about their employees and students for long periods of time. Various legal requirements apply, for example, regarding the retention of tax, payroll and pension information.”

“There is no single retention policy covering employee and student information because the need to keep individual records varies based on law and operational needs,” it says.

The Canadian Revenue Agency requires individuals, businesses, universities and hospitals to retain financial records for seven years. The federal body may specifically require records to be kept for an additional period of time, or indefinitely in some circumstances.

U of W confirmed the data was taken from a departmental file share called the “o drive,” which was encrypted and accessible only by authorized users. The university does not believe any of the data in the drive has been leaked and it is not aware of “any misuse linked to this incident,” the statement says.

“Our forensic examination is continuing to determine how these restrictions were compromised.”

Advanced Education Minister Renée Cable drew fire from Progressive Conservative MLA Kathleen Cook regarding the cyberattack during question period last week.

“As an alumni of the University of Winnipeg, the recent news of the cyberattacks is extremely concerning to me and thousands of other Winnipeggers,” Cook said. “Will this government do their jobs and step in to support them during this crisis?”

Cable responded by commending the university for its expediency in notifying government officials about the breach and efforts to restore network security.

A government spokesperson said Tuesday Cable’s office is continuing to monitor the situation and will be working with the university to review and formulate recommendations in the aftermath of the incident.

“While we recognize universities are self-governing institutions, we will be undertaking a broader review to ensure that campus communities are ensuring risks are minimized and personal information is safeguarded against cybercriminals,” the spokesperson said.

Richard Perchotte, Tory advanced education critic, denounced the response in an email statement.

“Student security and safety needs to be taken seriously,” he said. “At a time when students should be looking forward to their future, they are forced to panic and worry that their personal and financial information is being sold to the highest bidder.”

Meanwhile, the City of Winnipeg’s public works committee approved a motion to extend the winter term of the Winnipeg Transit U-Pass to May 2 from April 30.

City staff said riders would need to show their U-Pass and university identification to qualify.

A petition demanding the university compensate students and staff for their loss of data began circulating online last week, garnering nearly 1,500 signatures by press time. It asks for a sum of at least $500 be paid to all those affected by the cyberattack.

tyler.searle@freepress.mb.ca