Cyber Incident Victim: University of Waterloo

On May 30, 2023, the University of Waterloo experienced a ransomware attack. The school’s vice president, Jacinda Reitsma, confirmed the incident later that week, stating the university had stopped an attempted ransomware attack on that date. The institution, based in Waterloo, Ontario, serves a population of more than 40,000 students. Following the initial discovery, the university engaged in efforts to limit the impact of the initial breach that had preceded the ransomware cyberattack. The Royal Canadian Mounted Police discovered the attack on Tuesday, May 30, and subsequently informed both the Waterloo Regional Police and the university’s own Special Constable Services about the incident.

The attack specifically targeted the university’s on-campus Microsoft Exchange email services. This meant that individuals utilizing these on-premises email systems were affected, while those whose accounts were housed in the cloud-based Microsoft service were spared from any impact. As a direct consequence of the attack and the subsequent response actions, the university made the decision to disable the affected email system temporarily. This action resulted in students being unable to log into their email accounts or create new ones. Furthermore, because the email credentials served as a single sign-on for various other educational platforms, students and faculty also lost access to systems including Workday and the Waterloo LEARN platform.

In an initial statement, Vice President Reitsma explained that the on-campus email service had been isolated as a containment measure. She noted that while the investigation into the full impact of the breach was ongoing, it might be necessary to isolate additional services throughout the day, which would result in further intermittent access issues for various systems across the campus. The university provided ongoing updates to its community regarding the status of IT services and the response to the incident.

By Thursday, June 1, the university’s response escalated with the initiation of a complete system shutdown and reset. This major maintenance operation was scheduled for Thursday night and was projected to last for approximately six hours. This extensive action was a direct response to the ransomware incident and aimed to secure the compromised systems. The widespread IT outage impacted more than just email; access to the university library’s online resources was also disrupted. Key research and learning tools such as the Omni system and course reserves became unavailable to students and faculty during this period.

To address growing concerns and to communicate the situation transparently, the university held a town hall meeting. This forum allowed the administration to explain the circumstances of the cyberattack and the ongoing response efforts directly to students and faculty members. The session provided a platform for the university community to receive information and have their questions answered regarding the breach and its implications.

On Friday, June 2, the university provided an update stating that the overnight system reset had been successfully completed. However, this remediation step introduced a new required action for all users. Vice President Reitsma announced that all students and faculty would be required to change their passwords for the affected systems by a deadline of June 8. This mandatory password reset was a security measure intended to ensure that any potentially compromised credentials were rendered invalid. The university explicitly warned that any individual who failed to change their password by the stipulated deadline would be automatically locked out of their account. Those locked out would then require manual assistance from the university’s IT service team to regain access, a process that would likely involve delays.

The incident had tangible operational consequences beyond email inaccessibility. The dependency on email credentials for accessing other critical platforms meant the attack had a cascading effect on university operations. The inability to sign into Workday, a system used for human resources and student administration, and Waterloo LEARN, a central hub for course materials and online learning, disrupted both academic and administrative functions. The library’s systems remaining offline during the outages further hindered academic research and study activities.

No ransomware group publicly claimed responsibility for the attack on the University of Waterloo in the immediate aftermath. The absence of a claim did not provide any indication of the specific threat actor or group behind the incident. This attack occurred within a broader context of increased ransomware activity targeting large Canadian institutions throughout 2023. Earlier in February, the LockBit ransomware group had claimed an attack on Indigo, a billion-dollar Canadian bookseller. Just three weeks prior to the Waterloo incident, The National Gallery of Canada was also publicly struggling with its own ransomware attack, highlighting a concerning trend for the sector.

The university’s response followed a clear sequence of detection, containment, investigation, and remediation. The initial action involved isolating the compromised on-premises Microsoft Exchange service to prevent the ransomware from spreading to other parts of the network. This was followed by a temporary full disablement of the system to halt malicious activity. The investigation into the breach’s scope was ongoing during the initial days, with the potential for further service isolation acknowledged. The most significant response action was the complete system shutdown and reset, a resource-intensive process that took several hours to execute and successfully complete. The subsequent mandatory password reset for all users was the final major step in the documented response, aimed at restoring security integrity to the user account system. The involvement of law enforcement, including the RCMP and local police, indicated that the incident was also undergoing a criminal investigation.