Personal data from thousands of students and staff was stolen in a cyberattack late last month, the University of Winnipeg says.
The names, social insurance numbers, birth dates and addresses of students and former and current school employees have likely been exposed to the attackers, the university said in a Thursday news release.
The bank account information of anyone employed by the university since 2015 is also part of the potential exposure.
The leak potentially affects all graduate and undergraduate students enrolled since the fall of 2018, those enrolled in professional, applied and continued education and English-language programs since September 2019, as well as students who were issued T4A forms by the U of W since 2016, the university said.
All current employees and all former employers since 2003 are also likely affected.
The phone numbers of staff and compensation information were also part of the leaked data, the university said.
Students might have also had their fees and tuition amounts, gender and marital status information, and student numbers stolen by the attackers, the university said.
Investigation could take months, school says
The U of W said it’s still investigating whether other people have been affected by the attack, which was detected on March 24, but has “now confirmed that data from a university file server has been stolen and that the stolen information likely includes the personal information of current and former students and employees,” the university’s news release said.
It’s believed the theft likely occurred the week before it was discovered.
The university pushed back its exam period and move-out date for students living on campus in the week following the detection, which led to the shutdown of some of its critical systems.
The probe into the attack could take months, the university says. Law enforcement and the Manitoba Ombudsman office have been notified.
The university says it’s providing anyone who was likely affected by the attack with two-year credit monitoring so they’re better protected against identity fraud. Instructions will be sent out in the coming days.
In its release the university says it is “deeply sorry” about the incident and pledges to implement stronger defences in its online systems.