University must learn from experience

Opinion

Hey there, time traveller!
This article was published 12/04/2024 (544 days ago), so information in it may no longer be current.

For an institution dedicated to the advancement of higher learning, one hopes a recent computer-security calamity will serve as a teachable moment.

In the wake of a cyberattack last month, the University of Winnipeg was forced to cancel classes, temporarily shut down its principal internal systems and require students and staff to reset all passwords as part of a massive effort to re-secure and restart its operations.

The attack also delayed the start of exams, forced cancellation of sporting events and obliged the university to disclose that decades’ worth of personal and financial information from students and faculty members had been compromised when an internal file server was breached by cyber thieves.

It is, by any standard, an ongoing disaster. And as U of W officials, along with police services and security experts, continue to probe the origins, depths and impacts of the incursion, it’s worth taking a moment to consider what lessons will have been learned by this unfortunate — and, according to some in the university’s community, preventable — security lapse.

While rightly describing the breach as a criminal attack, U of W officials have to date seemed reluctant to concede any failings that might have made the system vulnerable. But according to at least one staff member, the university neglected to apply basic measures that might have protected the at-risk information. The staffer said the vulnerabilities included the presence in classrooms of computers that were not password-protected.

“It’s mind-blowing that anyone could walk into any classroom that’s open and use a computer … without needing to provide a username or password,” the employee said, adding such lax security “creates an incredible number of vulnerabilities for accessing university systems and tracking personal information and credentials.”

A request for comment from the university was met with a referral to an updated “frequently asked questions” section of the U of W website that states classroom computers are secure and can’t be used to access network services such as file storage.

While it’s encouraging to know that’s currently the case, one is left wondering what the state of affairs, security-wise, was leading up to and during the weeklong period during which the nefarious actors are believed to have had access to the U of W’s data.

Once the university and law enforcement have completed their investigation, it is incumbent on the U of W to provide a full accounting of how and why this serious violation of the institution’s cyber-security was able to occur — if not to satisfy the need for public confidence in the integrity of universities’ information systems, then at least to offer an acceptable level of transparency to the thousands of students and employees whose personal information, including names, addresses, birthdates, financial details and social insurance numbers, may have been harvested during the breach.

For those affected by the attack, the U of W has offered to cover the cost of two years’ credit monitoring to help them defend against identity fraud — a concession one security expert deemed inadequate, given that the information theft will impact “every single affected victim for the rest of their life.” No financial compensation has been offered; a petition circulating at the university demands at least $500 be paid to anyone affected by the breach.

Monetary considerations will no doubt be discussed in the months ahead; what is most needed now are assurances that the U of W — and, for that matter, all public institutions and the government that oversees them — has taken heed of the daunting digital-age lesson presented by this egregious violation.

Teachable moments are only useful when one actively seeks to learn from them.