A University of Winnipeg staff member says the institution failed to take basic steps to protect private information after student and faculty data was stolen in a cyberattack last month.
The staff member, who spoke on condition of anonymity, said among other “vulnerabilities,” in the U of W’s information and technology systems, computers in classrooms were not password-protected.
“It’s mind blowing that anyone could walk into any classroom that’s open and use a computer in the classroom without needing to provide a username or password,” the staff member said. “The fact that these computers are just left open creates an incredible number of vulnerabilities for accessing university systems and tracking personal information and credentials entered on those devices in the classroom.”
MIKE DEAL / FREE PRESS A computer connected to the internet in an empty and unlocked classroom at the UofW Friday afternoon.
The staffer raised concerns about the possibility of someone installing a key-tracking program that would capture passwords and faculty login information.
In a request for comment, the university pointed to the updated frequently asked questions section of its website, which noted classroom computers are secure and don’t have access to network services such as file storage.
“They are further secured to prevent any changes, installation of software and are reset with each new session,” the website reads.
The U of W learned it was the victim of a cyberattack on March 24. An investigation has since revealed the perpetrator breached the network a week earlier. Financial and personal data dating back to 2003 was stolen from a university file server, affecting thousands of current and former students and staff, the university announced Thursday.
That the intruder was able to remain undetected for about a week suggests “they didn’t brute force their way into the network, they were allowed in,” said Mathieu Manaigre, founder and president of Avenir IT in Winnipeg.
The most common way to gain access in this way is through “social engineering” — a lapse from someone who clicked on a link in a phishing email or fell victim to a scam phone call from someone pretending to be an IT professional, Manaigre said, noting general examples.
In response to questions about what U of W is doing to prevent another cyberattack, the university stated: “At this time, we have re-secured our network and implemented special measures to protect it as we continue to investigate. In time, we will consider the results of our investigation and thoughtfully develop a plan for improving our cyber security posture.”
Students on campus Friday expressed palpable anxiety about their financial futures after learning their information was compromised.
When marketing student Tutu Agboola arrived on campus and tried to access a WiFi network on her phone, she couldn’t log on. A common alert popped up asking her to enable a certificate to join the network.
“Prior to (this cyberattack) I would’ve done that, without blinking an eye. But I had to go to IT and ask them, ‘can I do this?’” Agboola said she’s concerned and extra cautious now that her trust in the university’s online systems has been shaken.
“I just feel like once that trust has been breached, it’s hard to get it back.”
All university systems are now considered secure.
First-year students Julie and Kathleen, who declined to provide their surnames, said they have changed their bank account information.
MIKE DEAL / FREE PRESS
UofW student Tutu Agboola.
“I’m actually paranoid, so I check my bank account every day for (unauthorized) transactions,” Julie said.
Agboola said she and fellow students are still concerned and want to know what action the U of W is taking.
“We’ve changed our passwords and we’re hopeful for the best, but we don’t know what the way forward is,” Agboola said. “I think that’s something that needs to be communicated to us.”
Even though it might be inconvenient, it’s a good idea to double-check online activities with IT staff, Manaigre said.
“Being paranoid at this point is almost the same as being diligent when it comes to cybersecurity,” he said.
He advises people to flag it as soon as possible, at home, at work or at school, if they think they might’ve accidentally clicked a bad link or entered a password on an illegitimate site. Don’t let embarrassment keep you silent, he said. “Don’t wait,” Manaigre said. “That’s probably the worst thing you can do. Let people know right away.”
Credit-monitoring is available for affected individuals who are now at risk of identity theft, and the university has said it is compiling a list of students and faculty whose information is believed stolen. The university hasn’t said exactly how the information was stolen. It has notified the Winnipeg Police Service, the Canadian Centre for Cybersecurity and Manitoba’s ombudsman.
As for how the breach has affected other institutions, the University of Manitoba said Friday it wouldn’t disclose for security reasons whether it has taken any extra measures.
katie.may@freepress.mb.ca
