experts – Winnipeg Free Press

A cyber attack that compromised decades of data at the University of Winnipeg should be a lesson to the provincial government, which has been advised to consider establishing uniform cybersecurity standards across public institutions.

“If standards aren't enforced … it's only a matter of time before someone gets into your system,” said security expert Hernan Popper, founder of Winnipeg-based Popp3r Cybersecurity Consulting Inc.

“This is something the government's policy is helping to prevent.”

Popper said her daughter, a former U of W student, is among thousands of current and former students and staff whose personal information was stolen in a cyberattack in late March.

University officials confirmed last week that the stolen data included names, dates of birth, street addresses, Social Security numbers, tuition and employee salary information. Some data dates back to 2003.

The school offered affected students and staff access to credit monitoring services for two years. Popper said that was not enough.

“SIN numbers taken away will affect every victim affected for the rest of their lives,” he said. “(My daughter) needs to have her own processes and precautions in place to prevent further consequences from this violation.”

Provincial legislation already exists to require government agencies to protect personal and financial information, but creating new rules to ensure high levels of cyber security measures are in place will help prevent similar breaches, Popper said.

“Do you really need to keep private and confidential information for 21 years?” “I don't know the answer to that question, but this is information that was still in their system and was deleted,” he said.

According to the university's website, “all universities must retain information about their employees and students for a long period of time. For example, different legal requirements apply to the retention of tax, salary and pension information.

“There is no single retention policy covering staff and student information, as the need to retain personal records varies depending on legal and operational needs,” it said.

The Canada Revenue Agency requires individuals, businesses, universities and hospitals to keep financial records for seven years. A federal agency may require records to be retained for an additional period of time or, in some cases, indefinitely.

U/W confirmed that the data was retrieved from a departmental file share called “o drive” that was encrypted and accessible only to authorized users. The university does not believe any of the data on the drive was leaked and is not aware of “any misuse related to this incident,” the statement said.

“Our forensic investigation continues to determine how these restrictions were breached.”

Advanced Education Minister Renee Cable made comments to Progressive Conservative MP Kathleen Cook about the cyber attack during question period last week.

“As an alumnus of the University of Winnipeg, the recent news about cyber attacks is deeply concerning to me and thousands of other Winnipeggers,” Cook said. “Will this government do its job and step in to support them in this crisis?”

Cable responded by praising the university for notifying government officials of the breach and efforts to restore network security.

A government spokesman said Tuesday that Cable's office was continuing to monitor the situation and would work with the university to review and formulate recommendations after the incident.

“While we recognize that universities are self-governing institutions, we take a broader view to ensure that the campus community mitigates risks and that personal information is protected from cybercriminals,” the spokesperson said.

Richard Perchot, a leading Tory education critic, condemned the response in an emailed statement.

“The safety and security of students should be taken seriously,” he said. “At a time when students are looking forward to their future, they have to panic and worry that their personal and financial information is being sold to the highest bidder.”

Additionally, the City of Winnipeg Public Works Committee approved a proposal to extend the Winnipeg Transit U-Pass winter period from April 30 to May 2.

City officials said riders must show a U-Pass and university identification to qualify.

A petition demanding the university compensate students and staff for the loss of their data began circulating online last week, with nearly 1,500 signatures at press time. It is asking for at least $500 to be paid to all victims of the cyber attack.

[email protected]

Tyler Searle
Reporter

Tyler Searle is a multimedia producer who writes for the Free Press' city desk. Since joining the paper in 2022, he's traveled by storm, documenting protests and checking under bridges for potential incidents.

Read full bio