On March 2nd, Simon Fraser University (SFU) disclosed on their website that they identified a data breach occurred on February 28th. The school said that the breach affects “faculty, staff, students, alumni, and retirees who joined the University prior to June 20, 2019.” Student and employment numbers, names, birthdates, email address, mail list memberships, course enrollments and encrypted passwords were exposed. The school has advised students to change their passwords. It has yet to be determined how many people will be affected but the school estimates it could potentially affect thousands.
According to SFU, the ransomware attack “found a weakness in the way the information was handled.” The university says the data was exposed on Feb. 27, and the school identified and corrected the issue the following day. It is also reporting the breach to B.C.’s Office of the Information and Privacy Commissioner.
In an interview with Global News, Dominic Vogel, founder of Port Coquitlam cybersecurity firm Cyber SC gave SFU “top marks” for its response to the breach. With regards to the information that was breached, Vogel said, “It can be used to craft more believable phishing emails, so I give credit to the university and the [chief information officer] of the University in the email they sent out, they were very specific about what kind of data was compromised, what people should be looking for, what they can do.”
SFU is still conducting its investigation into the cause and extent of the data breach. In addition to its current response, the university is reviewing and changing physical, procedural, technical security measures, and internal operating policies and procedures.