SFU ransomware attack exposed data from 250,000 accounts, documents show
Officials didn't disclose number in March when personal data of students, faculty, alumni were compromised
A ransomware attack last spring at Simon Fraser University (SFU) compromised the personal information of about 250,000 students, faculty and alumni, documents reveal.
The ransomware — malicious software that locks a computer system until a ransom is paid — breached a database on Feb. 27 that contained the personal information of every person who joined the school before June 20, 2019.
The information included student and employee identification numbers, full names, birthdays, course enrolments and encrypted passwords. Accounts were also linked to staff and retirees.
No banking or financial information was compromised, and the university said no one was at risk of identity theft. But the attack highlights the scope of cyber-security threats at post-secondary schools and the vulnerabilities in their systems.
IT staff learned of the attack the following day and disclosed it to the campus three days later.
Officials knew how many accounts had been breached but did not disclose the number at the time, despite requests from CBC News when the attack was first reported. The figure was revealed in emails and briefings between SFU officials obtained through a freedom-of-information request.
Angela Wilson, a spokesperson for SFU, said last week that IT staff had been completing an independent review of the event at the time.
"We weren't sharing further details until they were confirmed and finalized to ensure they were correct and accurate," she wrote in an email.
No ransom paid
The breach hit on Feb. 27 when a bot discovered a loophole in the school's system. The bot launched a brute force attack, a hacking technique that systematically checks password combinations until the right one is found.
The loophole arose when a developer replaced a software tool on an SFU computer and assumed the new version behaved the same way. The previous version had allowed local network access only, but the new software was open globally to the internet.
Officials the next day discovered the database had been wiped, with a note left in the system stating the data would be released only if a ransom was paid. Staff immediately disconnected the computer and later found the personal data had been copied.
A student would likely not be a huge, attractive target. But if a student eventually became a minister in the government and their information is out there, that becomes a good target.- Roger Gale, BCIT instructor in industrial network cyber-security
SFU's chief information officer, Mark Roman, said the school did not have to pay a ransom given the breach was a copy of old data, unlike a ransomware attack in 2016 at the University of Calgary, where the school paid $20,000 in ransom after the malware crippled its IT systems.
An email from SFU's cyber-insurance provider noted the school had a $100,000 deductible on its policy. The insurer noted the risk in this case was negligible given the source of the attack, the name of which was redacted in the documents.
The school had previously faced similar ransomware attacks but not of this scope. Data from web forms was compromised, including online applications for teacher assistant positions, financial aid advising and admission deferral requests.
Roman said the university hasn't seen any evidence that the personal data has been used to try to access its systems.
The data, however, could be used by cyber criminals to try to access banking accounts, said Dominic Vogel, founder of the cyber-security consulting firm Cyber SC in Vancouver.
Roger Gale, an instructor at BCIT's industrial network cyber-security program, said the information could also have been sold on the dark web and will be out there for years to come.
"A student would likely not be a huge, attractive target," he said.
"But if a student eventually became a minister in the government and their information is out there, that becomes a good target."
'We did the best we could'
On March 2, SFU sent a campus-wide email and posted a notice on its website, urging all school members to change their passwords.
It also reported the privacy breach to the province's information and privacy commissioner.
Some faculty raised concerns about the announcement's timing.
Isabelle Côté, chair of the biological sciences department, emailed Roman about the four-day gap.
"This seems particularly puzzling after hearing someone, who I think was an SFU spokesperson, on the radio yesterday talk about how transparency is essential in situations like this," she wrote.
Roman responded that staff had worked continuously from Friday to late Sunday to figure out the cause of the breach before making a statement.
"From discovery to announcement was one business day — we did the best we could."
CBC News asked the school on March 2 how many accounts had been compromised. A spokesperson said the school did not have an exact number.
When asked again to provide a number on March 6, the school said the final numbers hadn't been confirmed, and an investigation was underway.
But media talking points shared between officials showed the school was aware on March 2 that 250,000 accounts had been breached.
Vogel said he tells clients they need to be transparent when entrusted with sensitive data.
"If you're making an approximation, say it's an approximation."
SFU provided figures this week breaking down the number of compromised accounts. They include 37,500 students, 35,000 alumni, 6,500 staff and 1,250 faculty.
About 160,000 were "lightweight" accounts — ones with no email access — that include all other former SFU members, including former staff and students who didn't graduate.
Overwhelmed password system
The university faced another hurdle after blasting out its initial email: a password reset system that was quickly overwhelmed.
SFU said the password change would take up to 30 minutes to activate, but staff and faculty reported delays of up to six hours, effectively locking them out of their work.
The technology service desk that day fielded triple its normal volume of calls.
The school password system was developed in 1991, which made it difficult to improve performance, Roman wrote in a note to staff. Staff fixed the system later that day.
Roman said the school has implemented new security measures since the attack, including multi-factor authentication and a virtual private network, which provides an encrypted internet connection.
Gale said the attack is relatively minor compared to other breaches, such as the attack last year on LifeLabs that exposed the health information of 15 million Canadians.
"There's no doubt in my mind [SFU] could have done better," he said.
"But in the entire scheme of things, they responded appropriately and within a reasonable time frame."