Cyber attack updates and support

What happened?

We have been investigating since the cyber attack first came to our attention on March 24th. Our investigation is continuing, but we have now confirmed that data from a University file server has been stolen and that the stolen information includes the personal information of current and former students and employees.

Where was the data stolen from?

Data was stolen from a departmental file share – our “o drive.” The University has copies of the data, and access to the o drive will be restored next week.

Was the O drive secured?

Yes. Access to the o drive is limited to authorized users only, and the drive itself is encrypted. Our forensic examination is continuing to determine how these restrictions were compromised.

Has the data been leaked?

Our experts are currently watching for this. We do not believe that the data has been leaked.

Are you aware of any misuse linked to this incident? What can we do now?

No. Unfortunately, organizations across the public and private sectors have been repeatedly targeted by cyber criminals, and our incident is one of many. We all have been and will continue to be at risk of scams and should be vigilant. We also encourage all affected individuals to enrol in the credit monitoring service.

What should I do to protect myself?

As a proactive step, we will be providing individuals who are likely affected a two-year credit monitoring service from TransUnion. This is a service that allows one to check for signs of identity fraud so protective action can be taken. Enrolling in the credit monitoring service provides you with excellent protection as you can ensure you receive an alert immediately if anyone attempts to open a credit account in your name.

In the coming days, we will begin emailing and mailing codes along with instructions about how to enrol. You do not need to contact us for a code; however, if you are a former employee or student and would like to update your address, please email incident.support@uwinnipeg.ca. We will send future communications to your updated address. If you are included in one of the groups listed above and do not receive a code within two weeks, please email us at incident.support@uwinnipeg.ca.

Should I place a fraud alert on my credit file? 

A fraud alert is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. They are protective because they may cause lenders to take extra steps to verify identity. Given they can also cause transaction delays, we are leaving that choice to you.

Placing a fraud alert on your TransUnion file is free. You can also elect to place a fraud alert on your Equifax credit file.

Should I replace my bank account number and other identification numbers?

Enrolling in the credit monitoring service is one of the best means of protecting yourself. We are not recommending that employees and former employees attempt to change their bank account numbers or their other identification numbers, and social insurance numbers cannot be changed without evidence of actual misuse.

Are donors and others affected?

We believe the greatest impact of this incident is on employees and students, but it is possible that donors and others are also affected. We are continuing to analyze data, which may take a significant amount of time, possibly months.

Why are you not providing both TransUnion and Equifax services?

Having both services is largely redundant.

Why are you not providing more than two years of credit monitoring service?

Given the prevalence of cyber attacks and data theft, the impact of any single event is difficult to determine. In this situation, many organizations will provide a single year of credit monitoring. We elected to provide two years of service, and believe that to be fair.

Will the University compensate me?

The University is providing credit monitoring protection and not compensation. However, if you have an identity theft problem that you believe to be linked to this incident, please let us know right away. There is also insurance available to those who enrol in the credit monitoring service, which is another reason why you should enrol.

Will enrolling in the credit monitoring service affect my credit score?

No, it will not affect your credit score.

I used my work computer to do my personal banking. Should I contact my bank to notify them of the cyber incident?

No, but if you are concerned, you can change your online banking password and, if it isn’t mandatory at your bank, enable multi-factor authentication for access to your bank account.

What should I do if my SIN was part of the information exposed?

You should enrol in the TransUnion monitoring service being provided by the University. Service Canada also advises individuals affected by a breach to regularly review their banking and credit card statements. If an individual notices any suspicious activity related to their SIN, they should report it to the police, contact the Canadian Anti-Fraud Centre and inform Service Canada.

More information is available on the Service Canada website:

• Protecting your SIN
• Information for SIN holders

In the list of those who may be affected, what do you mean by “employee”?

Many types of individuals have an employment relationship with the University, such as:

• Regular academic staff
• Contract academic staff (including contract instructors/sessionals)
• Regular staff (including all excluded and unionized employees)
• Staff hired on a term or casual basis
• English Language Program instructors
• Research assistants and research associates
• Markers, teaching assistants, tutors, mentors, and student assistants
• Work study students paid by the University
• Post-doctoral fellows paid by the University

If I do not have an employment relationship with the University but received an honorarium, does that make me an “employee”?

No.

If I paid student fees for someone else, does that mean I’m included in this notification?

No.

I’m confused as an international student. This page originally noted that the exposure of social insurance numbers only affected domestic students. However, that note has now been removed. What does this mean?

We apologize for any confusion. We stated that social insurance numbers (SIN) were exposed for “domestic students only” because many international students do not have a SIN number. If you are an international student with a SIN number within a population identified above, your SIN number was exposed. We have corrected this in our notification.

Are classroom computers secure?

Classroom computers are secured in multiple ways. These computers do not have access to campus network services such as file storage and printing. They are further secured to prevent any changes or installation of software, and are reset with each new session.

Does the University require students, faculty, and staff to use multi-factor authentication?

Multi-factor authentication (MFA) has been applied on multiple campus-wide services. MFA is mandatory for use by all faculty, staff and students to allow access to these services.  Continued and ongoing progress is being made to expand the services protected by MFA.

Why does the university hold on to the data for so long?

All universities must retain information about their employees and students for long periods of time. Various legal requirements apply, for example, regarding the retention of tax, payroll, and pension information. There are also operational needs to know who has been employed with us in the past, and to have a record of our students for purposes include alumni matters and the issuance of transcripts. There is no single retention policy covering employee and student information because the need to keep individual records varies based on law and operational needs. The University has policies in place governing the secure storage of employee and student information.

What are the policies around how data is stored?

The storing of information at the University is governed by the Information Security Policy and Procedures.

• Policy
• Procedures

What additional measures are being taken so that a breach like this doesn't happen again?

At this time, we have re-secured our network and implemented special measures to protect it as we continue to investigate. In time, we will consider the results of our investigation and thoughtfully develop a plan for improving our cyber security posture.

Is the process used for new and current employees to submit personal information to HR secure?

Although the cyber attack on our network exposed employee information, the submission of information to HR follows a secure process.

Is the University’s network now secure?

Yes—we have worked with our expert partners to get all our systems safely and securely back online, and our experts our currently monitoring the network continuously for signs of any problems.

What was installed on UWinnipeg-managed computers during the in-person update?

SentinelOne (or “S1”) and Huntress were installed. These are leading “endpoint security” tools that protect end-user computers from malicious threats and cyber attacks.

Why the need for this new tool?

As networks have evolved, endpoint security tools like S1 and Huntress have become essential to cyber protection. We rolled out S1 and Huntress as part of our recovery to the recent cyber attack to gain confidence that our network had been re-secured and is safe.

Though we had this type of tooling on part of our network prior the incident, this is a major advance in our network security and is to the benefit of all our community. It will help us avoid the type of disruption that we have recently faced, and it will advance security around employee and student personal information, research data, and other sensitive data.

What specific events, system messages, or activities are included in the system logs recorded by S1?

S1 and Huntress collect data about the computing processes being run on an endpoint and data about how the endpoints are configured. They analyze the data using automated means to detect anomalies that may represent threats and vulnerabilities.

How will the data collected by S1 be used, and who within S1 will have access to this information?

S1 and Huntress collect data using automated means to detect anomalies that may represent threats and vulnerabilities. Alerts are directed to authorized individuals in the Technology Sector, currently via the security experts who are helping the University respond to the cyber incident.

Does the University have access to the logs monitored by S1?

No.

What safeguards are in place to prevent the misuse of collected data or its access for non-security purposes?

S1 and Huntress data are secured and accessible only to authorized personnel from the security expert company that is helping the University respond to the cyber incident, which is under a contract with the University that requires it to safeguard information. Alerts are reported to authorized personnel in the Tech Sector.