Cyber Incident Victim: MacEwan University

In August 2017, MacEwan University suffered a significant financial loss due to a phishing attack targeting its staff. Between August 11 and August 19, three low-level university employees were deceived into transferring a total of $11.8 million to fraudulent bank accounts controlled by scammers. The attackers impersonated one of the university’s major suppliers by creating a counterfeit website resembling the legitimate supplier’s domain. This deception led staff to initiate three separate wire transfers: an initial payment of $1.9 million, followed by $22,000, and a final transfer of $9.9 million. The fraud remained undetected until August 23, when the actual supplier notified the university about unpaid invoices, prompting internal scrutiny. Subsequent investigations revealed that $11.4 million of the stolen funds had been routed to bank accounts in Montreal and Hong Kong, with the remaining $400,000 unaccounted for at the time of reporting.

The incident represented a substantial financial blow, equivalent to approximately 10% of MacEwan’s annual operating grant from the Alberta government. In response, the university immediately launched an audit of its financial processes and implemented enhanced controls to prevent recurrence. Legal teams in Montreal, London, and Hong Kong were engaged to pursue civil actions to recover the funds, resulting in the seizure of $6.3 million from the Montreal account and efforts to freeze the two Hong Kong accounts. An internal audit group was tasked with investigating the breach, though no specific procedural failures or employee disciplinary actions were disclosed publicly. The university emphasized collaboration with law enforcement and financial institutions but did not specify whether criminal charges were filed against the perpetrators. No data theft or system compromises beyond the fraudulent transfers were reported, with the attack’s impact confined to financial losses and operational disruptions.