SFU Hit by Ransomware Attack, Results in Data Breach

Simon Fraser University (SFU) has become the latest victim of a ransomware attack that led to the exposure of personal information of thousands of people.

In a campus-wide email issued on Monday, Mark Roman, SFU’s chief information officer, notified faculty, staff, students, alumni, and retirees about a privacy breach that potentially impacted everyone who has joined the University prior to June 20, 2019.

“We deeply regret this incident, are working diligently to contain the situation and are committed to helping mitigate the potential risks and harm to our faculty, staff, students, alumni and retirees,” said Roman in the email.

SFU Ransomware Attack

According to a statement posted on the University’s website, the security incident happened on Feb 27 and was later identified and corrected quickly the following day, Feb 28.

“The privacy breach occurred when SFU’s system was subjected to a ransomware attack that found a weakness in the way the information was handled. This weakness has been discovered and corrected. No SFU systems are currently exposed,” the statement explained.

Among the information exposed on the breach included names of students and employees, their school and working numbers, birthdates, mail list memberships, course enrollments, as well as their encrypted passwords.

“While it does not appear that any SFU Computing accounts have been compromised, changing your password now will significantly mitigate that risk,” the statement wrote.

To date, the university ensured that it is currently doing the necessary measures to limit the impact of the breach and prevent future incidents from happening. Among these include alerting the affected individuals, supporting the victims upon request and as needed, investigating about the breach, evaluating the possible risks that come with the data exposure, reviewing and improving appropriate policies and procedures, as well as reporting the incident to BC’s Office of the Information and Privacy Commissioner.

“The university deeply regrets this incident, we are working diligently to contain the situation and are committed to helping mitigate the potential risks and harm to our faculty, staff, students, alumni, and retirees,” the statement concluded.

Among the potential risks associated with the latest incident include identity theft, spam emails, and even exposure to additional personal information.

“It can be used to craft more believable phishing emails, so I give credit to the university and the [chief information officer] of the University in the email they sent out, they were very specific about what kind of data was compromised, what people should be looking for, what they can do,” Dominic Vogel, founder of Port Coquitlam cybersecurity firm Cyber SC told Global News.