Personally identifiable information about nearly 200,000 people has been exposed in a cyberattack on Simon Fraser University (SFU) computers, the institution said February 16.
Staff discovered that there had been a cyberattack on one of SFU’s servers February 5. Technology services immediately isolated the server and began an investigation.
SFU spokesman Braden McMillan said of the 200,000, the personally identifiable information for about 75% – or 150,000 people – is their student or employee identification number and at least one other data element, but no name identifier.
SFU said spreadsheet data on a breached server contained personal information for a number of current and former students, faculty, staff and student applicants.
Personal information exposed varies on what information is stored in different spreadsheets, the university said. Other data breached could include information on admission or academic standing.
But SFU said data exposed doesn’t include information such as banking details, social insurance numbers or passwords.
B.C.’s Office of the Information and Privacy Commissioner has been notified of the breach but cannot disclose details.
The university is directly notifying all affected individuals with a current email address on file, SFU said.
Among those affected are:
• active 2018 faculty, librarians, term lecturers, term lab instructors, visiting faculty, post-retirement faculty and sessional instructors;
• those with grades for engineering science and math 2013-18, grades for pre-calculus and calculus 1999-18 and Statistics 403 grades for transfer credit students between 2000-2016;
• students who applied for financial aid 1988-2017, students on academic probation in December 2018;
• students with undergraduate and graduate student honour and awards 1968-2020;
• students who made transcript requests 2016-19;
• Indigenous students in fall 2018;
• Fraser International College students 2014-18;
• student athletes 2006-14;
• those with National Collegiate Athletic Association student data from 2018, and;
• students with international characters (such as à, ä, â, 市 ...etc.) in their names or addresses 2007-2014.
People in those groups can check their status here.
“I'm glad we are learning about this only 11 days after the breach was first identified,” B.C. Freedom of Information and Privacy Association executive director Jason Woywada said. “I am pleased to see SFU take this approach to report a data breach that is affecting people and is working with the Office of the Information and Privacy Commissioner.”
Woywada said properly assessing the risk of harm from such attacks and taking appropriate steps to reduce that harm is critical as is ensuring steps to improve cybersecurity that reduce the possibility future occurrences.
“These types of robberies have a serious impact on the institutions that are stolen from and the people whose data is stolen,” he said.
He again called on Victoria to introduce mandatory breach reporting in its legislation.
While significant, the breach is nowhere near the largest in Canadian history.
In 2019, an attack on medical testing company LifeLabs exposed the personal information of about 15 million Canadians.
Information exposed in that ransomware attack included names, dates of birth, medical test data, health card numbers and home and email addresses.
While other universities hold similar data, their approaches vary.
“For security reasons, the university does not discuss cyber attack issues,” said University of British Columbia spokesman Matthew Ramsey.
Other universities were working on Glacier Media requests about breaches and cybersecurity.