Menu
Browse

Cyber Incident Victim: Mount Royal University

Date:

Jun 2023

Location:

Canada

Summary

Mount Royal University confirmed that a ransomware attack led to the deletion of two file storage systems and the exfiltration of employee and student data from its H drive. The disruption affected internal systems, online services and internet access, and the university reported the incident to the Alberta Information and Privacy Commissioner and law enforcement while offering 24 months of free identity theft and credit monitoring to current employees and those employed in the previous five years. A ransomware group called CMD Organization later posted proof of the theft on a leak site, claiming over ten terabytes of data were taken and demanding a 1.9 million dollar cryptocurrency ransom.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 2 techniques
Threat Actor Type Location
1 actor Available to members Available to members

Description

Mount Royal University discovered the incident on June 17 after hackers deleted two file storage systems from its network, one containing employee and student data and another used for departmental data storage. The deletion disrupted certain internal systems as well as online services and internet access, which the university announced publicly on June 18. In a follow‑up update, MRU confirmed that a ransomware group was responsible for the attack and that employee and student data hosted on the university’s ‘H drive’ had been exfiltrated and deleted. The university’s analysis indicated that the incident affected specific folders on the H drive rather than the entire drive, and it stated that it would begin directly notifying employees and students whose H drive folders were compromised within the coming week.

Cyber Incident Image

MRU announced that it would provide all current employees, as well as individuals employed within the past five years, with 24 months of free identity theft and credit monitoring services. The university also reported that the hackers did not access or exfiltrate data from the second file storage system that was erased during the attack. MRU said it had reported the incident to the Alberta Information and Privacy Commissioner and to law enforcement and would provide full cooperation with their inquiries. Citing the ongoing investigation, the university refrained from sharing details about how its network was compromised or identifying the perpetrators.

On the same day as MRU’s notice, the ransomware group CMD Organization added Mount Royal University to its Tor‑based leak site, claiming the theft of over 10 terabytes of data. CMD published screenshots as proof of possession and demanded a $1.9 million ransom payable in cryptocurrency. According to Comparitech, the group has claimed responsibility for 32 attacks to date, although only four of those claims have been confirmed, and it is known to auction information allegedly stolen from its victims.

Sources
Sources available to members
1 source