Cyber attack updates and support
(Note: This page was updated as additional information became available. The original announcement can be found here.)
We announced on March 25, 2024, that our university community had been subject to a cyber attack. On April 4, 2024, we confirmed that the stolen data included personal information. A list of the groups likely affected, as well as the types of information exposed, was shared on the University website. Individuals likely affected were provided a two-year credit monitoring service.
At that time, we committed to completing a thorough investigation to determine whether others were affected, and to provide further notifications based on our findings. That investigation has now concluded, and we have updated our notification of groups likely affected and information exposed:
Population likely affected |
Information exposed |
All students enrolled in undergraduate and graduate programs since the academic year beginning in September 2018 |
Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, fee and tuition amounts, gender information, and marital status information |
NSERC Undergraduate Student Research Awards (USRA) winners and internal USRA Humanities and Social Sciences award winners with date of birth or social insurance number on file in 2003-2010 |
Name, mailing address, date of birth, and social insurance number
|
Master's in Development Practice students in 2011-2018 |
Name, mailing address, phone number, email, academic history, and employment history |
Master's in Development Practice students on field placements in 2013-2023 |
Name, passport information, date of birth, and banking information |
Undergraduate students in 2008-2015
|
Student number, date of birth, citizenship, address, gender, and age |
Graduate students in 2010-2015
|
Student number, date of birth, citizenship, address, gender, and age |
Graduates (undergraduate and graduate programs) in 2008-2018
|
Name, date of birth, student number, phone number, mailing address, email, and program information |
Master’s in Development Program students who provided personal health information in support of a field placement in 2014-2023 |
Name, information regarding health insurance, and Personal Health Identification Number
|
Master’s in Development Program students who provided personal health information in support of an incomplete course request or retroactive withdrawal from 2015 to March 2024 |
Name and personal health information provided by the student in support of their request
|
Business and Administration Students who provided personal health information in support of an academic appeal in 2018-2022 |
Name and personal health information provided by the student in support of their appeal
|
Graduate students who provided personal health information in support of an academic appeal in 2020-2023 |
Name and personal health information provided by the student in support of their appeal |
Note: Some undergraduate and graduate students may also be included in additional groups, such as “Students – General” and “Other groups.”
Population likely affected |
Information exposed |
All students enrolled in PACE programs since the academic year beginning in September 2019 |
Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, and tuition amounts |
PACE students in 1987-2006
|
Name, student number, mailing address, phone number, gender, date of birth, and grades |
PACE students who requested transfer credits in 2018 |
Name, date of birth, student number, email, and transcripts |
PACE full-time, international students issued a refund by wire payment in 2016-2018 |
Name, date of birth, student number, email, and banking information |
PACE graduates in 2010-2012
|
Name, date of birth, student number, phone number, mailing address, email, and program information |
PACE students who provided personal health information in support of an academic appeal from 2022 to March 2024 |
Name and personal health information provided by the student in support of their appeal |
Note: Some PACE students may also be included in additional groups, such as “Students – General” and “Other.”
Population likely affected |
Information exposed |
All students enrolled in ELP programs since the academic year beginning in September 2019 |
Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, and tuition amounts |
ELP graduates in 2018
|
Name, date of birth, student number, phone number, mailing address, email, and program information |
Note: Some ELP students may also be included in additional groups, such as “Students – General” and “Other.”
Population likely affected |
Information exposed |
Collegiate students in 2018-2022
|
Name, date of birth, student number, gender, Manitoba Education and Training number, citizenship, email, parent email, phone number, and mailing address |
Collegiate graduates in 2008-2009, 2011-2013, and 2018 |
Name, date of birth, student number, phone number, mailing address, email, and program information |
Note: Some Collegiate students may also be included in additional groups, such as “Students – General” and “Other.”
Population likely affected |
Information exposed |
All students to whom the University issued T4A forms since 2016 |
Names, street addresses, social insurance numbers, and funding amounts |
Students who applied for an award in 2017-2020
|
Name, phone number, student number, email, type of award and amount, mailing address, citizenship, date of birth, and information about financial need |
International students from 2014 to March 2024
|
Name, student number, date of birth, and Immigration, Refugees and Citizenship Canada number |
Students with accounts sent to collections from 2011 to March 2024 |
Name, email, mailing address, student number, date of birth, and amount owing |
Students who paid by wire payment from 2014 to March 2024 |
Name, student number, banking information, and amount |
Students who paid with a cheque declined for insufficient funds from 2012 to March 2024 |
Name, student number, cheque information, and amount |
Students who provided personal health information in a personal statement when applying for an award from 2016 to March 2024 |
Name and personal health information provided by the student in support of their application |
Population likely affected |
Information exposed |
All current employees and all former employees employed since 2003 |
Names, social insurance numbers, dates of birth, street addresses, phone numbers, and compensation information |
All current employees and all former employees employed since 2015 |
Bank account information
|
Employees on maternity leave, long-term disability leave, or sick leave in 2010 and 2016 |
Name and type of leave |
Employees to whom a letter was sent regarding long-term disability leave in 2010-2021 |
Name and details of long-term disability benefits |
Employees who applied for long-term disability leave from 2020 to March 2024 |
Name, condition/diagnosis information, symptoms, medical history, hospitalization information, medical information, treatment plans, and medications |
Employees who provided a medical note in support of a maternity leave application from 2021 to March 2024 |
Name and medical note with confirmation of pregnancy and due date |
Employees to whom a letter was sent requesting additional information from a doctor regarding sick leave in 2010-2021 |
Name and request for clarification on restrictions and limitations previously submitted
|
Employees on sick leave from 2021 to March 2024 |
Name and personal health information provided by employee in support of sick leave request |
Employees who requested or had a workplace accommodation from 2019 to March 2024 |
Name and personal health information provided by employee in support of accommodation request |
Population likely affected |
Information exposed |
ELP applicants in 2020-2021 |
Name, date of birth, age, gender, and student number |
International applicants to undergraduate studies in 2021-2023 |
Name, date of birth, student number, citizenship, email, mailing address, and program of study |
Prospective students from Africa and the United States from 2021 to March 2024 |
Name, date of birth, email address, mailing address, and citizenship |
International applicants who have not been admitted pending study permit approval in 2024. |
Name, student number, date of birth, and Immigration, Refugees and Citizenship Canada number |
Applicants to PACE programs from 2017 to March 2024
|
Name, date of birth, passport, transcripts, phone number, and address |
Applicants to PACE Connecting Aboriginals to Manufacturing program in 2011-2012 |
Name, date of birth, email, mailing address, and CV information |
Prospective PACE students from international recruiting fairs from 2023 to March 2024 |
Name, email, phone number, and date of birth |
Applicants to the Master's in Development Practice program and prospective students, including qualifying year students, who were unsuccessful, deferred, or did not attend from 2011 to March 2024 |
Name, mailing address, phone number, email, date of birth, academic history, and employment history |
Applicants to graduate studies programs in 2018-2020 |
Name, phone number, student number, email, mailing address, educational history, date of birth, and gender |
Population likely affected |
Information exposed |
Homestay host families and host family applicants in 2016-2021
|
Name, mailing address, email, phone number, occupation, country of birth, and home profile information |
Master's in Development Practice guest speakers from whom a social insurance number was collected from 2012 to March 2024 |
Name, mailing address, email, social insurance number |
All contractors from whom the University collected a social insurance number from 2015 to March 2024 |
Names, street addresses, social insurance numbers, and payment amounts |
Population likely affected |
Information exposed |
Honorary Doctorate, Professor Emeritus/Emerita, and Fellowship in United College & The University of Winnipeg nominees from 2005 to March 2024 |
Name, email, phone number, and CV information |
Distinguished Alumni award nominees from 2017 to March 2024 |
Name, email, phone number, and CV information |
Population likely affected |
Information exposed |
Banting Postdoctoral Fellowship candidates who submitted applications to UWinnipeg from 2019 to March 2024 |
Name, mailing address, date of birth, residency status, phone number, email, and CV information |
Applicants to Criminal Justice and Indigenous Law position from January to March 2024 |
Name, email, phone number, and CV information |
Applicants to instructor positions in Criminal Justice from January to March 2024 |
Name, email, phone number, and CV information |
Applicants to Health and Safety Specialist position in 2014 |
Name, email, phone number, and CV information |
Applicants to Insurance and Risk Management Coordinator position in 2020 |
Name, email, phone number, and CV information |
Applicants to Employee Health and Wellness Specialist position in 2020 |
Name, email, phone number, and CV information |
Applicants to Employee Health and Wellness Specialist position in 2020 |
Name, email, phone number, and CV information |
Applicants to Research Counsel position in 2023 |
Name, email, phone number, and CV information |
Applicants to Senior Counsel position in 2023 |
Name, email, phone number, and CV information |
Applicants to Policy Analyst position in 2023 |
Name, email, phone number, and CV information |
Applicants to Director of Risk Management and Campus Security position in 2023 |
Name, email, phone number, and CV information |
Applicants to Dean of Education position in 2019 |
Name, email, phone number, and CV information |
Applicants to Vice-President, Finance and Administration position in 2022 |
Name, email, phone number, and CV information |
Applicants to PACE instructor positions from 2014 to March 2024 |
Name, email, phone number, and CV information |
Applicants to contract academic staff positions for Master's in Development Practice courses in 2012-2023 |
Name, mailing address, email, phone number, date of birth, and CV information |
Applicants to Communication Events Assistant and Executive Assistant positions in the Faculty of Business and Economics in 2022 |
Name, email, phone number, and CV information
|
Applicants to Faculty of Business and Economics positions in 2011-2012 |
Name, email, phone number, and CV information |
Applicants to Institute of Urban Studies positions in 2007-2008, 2011, and 2013-2021 |
Name, email, phone number, and CV information |
Applicants for AVP Engagement, HR, and Indigenous; Executive Director Marketing and Communications; Provost and VP Academic; VP Finance and Administration; VP Research and Innovation; and AVP Indigenous Engagement positions from 2019 to March 2024 |
Name, email, phone number, and CV information
|
Applicants to contract academic staff positions in the Department of Business and Administration in 2020 |
Name, email, phone number, and CV information
|
Population likely affected |
Information exposed |
Spouses of PACE part-time students whose social insurance number was included on a Manitoba Student Aid application form from 2020 to March 2024 |
Social insurance number and income |
India Centre event attendees who submitted a cheque in 2017-2022 |
Name, email, phone number, mailing address, and cheque information |
Canadian Journal of Urban Research members who paid by cheque from 2004 to March 2024 |
Name, address, and cheque information |
Institute of Urban Studies interns and visiting scholars in 2010 and 2020 |
Name, email, phone number, and CV information |
Individuals who provided personal health information in relation to a complaint or concern regarding discrimination, harassment, or sexual violence, or a security incident, from 2015 to March 2024 |
Name or student number, personal health information collected in relation to details of complaint, concern, or incident, information about care received, and follow-up services offered and received |
Individuals who provided personal health information in relation to a security incident in 2007-2014
|
Name or student number, personal health information collected in relation to details of complaint, concern, or incident, information about care received, and follow-up services offered and received |
Those included in a newly identified group are eligible for two years of credit monitoring service. This service allows individuals to check for signs of identity fraud so protective action can be taken. Enrolling in the credit monitoring service is one of the best means of protecting yourself. You can set it to proactively alert you if anyone is opening a credit account in your name.
If you are included in one of the above groups and have not already received two years of credit monitoring, you can request it here. To make use of this credit monitoring service, you must sign up by December 31, 2024. If you have already received a credit monitoring code, you do not need to reach out to us again. Please direct any questions you may have to incident.support@uwinnipeg.ca.
It is disturbing that higher education institutions like the University and other public sector organizations are being targeted by cyber attacks. This has been a terrible incident that has directly impacted our community. We are grateful to the staff members who worked many long hours to restore systems following the attack, as well as to our entire UWinnipeg community for their patience and understanding through this challenge. Rest assured that we are carefully considering the results of our investigation and will emerge from this incident with stronger cyber defences.
Questions and Support
If you have questions that are not answered in the FAQ below, please email us at incident.support@uwinnipeg.ca or call us at 204.786.9325.
FAQ
Where was the data stolen from?
Data was stolen from a departmental file share – our “o drive.” The University has copies of the data, and access to the o drive has been restored.
Was the O drive secured?
Yes. Access to the o drive was limited to authorized users only, and the drive itself was encrypted.
Has the data been leaked?
Our experts continue to watch for this. We do not believe that the data has been leaked.
Are you aware of any misuse linked to this incident? What can we do now?
No. Unfortunately, organizations across the public and private sectors have been repeatedly targeted by cyber criminals, and our incident is one of many. We all have been and will continue to be at risk of scams and should be vigilant. We also encourage all affected individuals to enrol in the credit monitoring service.
Why were you not able to provide final updates earlier?
In order to accurately update this list, a very large number of files needed to be carefully examined by our investigation team. Now that this investigation is complete, we can provide an accurate and fully updated list.
Will there be additional updates to this list?
Now that all the stolen files have been examined, we do not anticipate that additional groups will be added to this list.
What should I do to protect myself?
As a proactive step, we are providing individuals who are likely affected a two-year credit monitoring service from TransUnion. This is a service that allows one to check for signs of identity fraud so protective action can be taken. Enrolling in the credit monitoring service is one of the best means of protecting yourself. You can set it to proactively alert you if anyone is opening a credit account in your name.
If you are included in one of the groups listed above and have not yet received two years of credit monitoring, complete this form to request instructions for how to enrol. If you have any questions or concerns, please email us at incident.support@uwinnipeg.ca.
If I already signed up for credit monitoring following the initial notification from the University, do I need to do so again?
No. If you have already received a credit monitoring enrolment code from the University, you do not need to request another one. If you have not yet used the code to enrol, you can do so now. Please note that codes received prior to August 15, 2024, will expire on August 30, 2024.
Should I place a fraud alert on my credit file?
A fraud alert is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. They are protective because they may cause lenders to take extra steps to verify identity. Given they can also cause transaction delays, we are leaving that choice to you.
Placing a fraud alert on your TransUnion file is free. You can also elect to place a fraud alert on your Equifax credit file.
Should I replace my bank account number and other identification numbers?
Enrolling in the credit monitoring service is one of the best means of protecting yourself. We are not recommending that employees and former employees attempt to change their bank account numbers or their other identification numbers, and social insurance numbers cannot be changed without evidence of actual misuse.
Are individuals other than current and past students and employees affected?
Some specific groups of individuals who were never students or employees have been identified. Please review the list above. If you are included in one of these groups and have not received instructions for signing up for two years of credit monitoring, please email us at incident.support@uwinnipeg.ca.
Why are you not providing both TransUnion and Equifax services?
Having both services is largely redundant.
Why are you not providing more than two years of credit monitoring service?
Given the prevalence of cyber attacks and data theft, the impact of any single event is difficult to determine. In this situation, many organizations will provide a single year of credit monitoring. We elected to provide two years of service, and believe that to be fair.
Will the University compensate me?
The University is providing credit monitoring protection and not compensation. However, if you have an identity theft problem that you believe to be linked to this incident, please let us know right away. There is also insurance available to those who enrol in the credit monitoring service, which is another reason why you should enrol.
Will enrolling in the credit monitoring service affect my credit score?
No, it will not affect your credit score.
I used my work computer to do my personal banking. Should I contact my bank to notify them of the cyber incident?
No, but if you are concerned, you can change your online banking password and, if it isn’t mandatory at your bank, enable multi-factor authentication for access to your bank account.
What should I do if my SIN was part of the information exposed?
You should enrol in the TransUnion monitoring service being provided by the University. Service Canada also advises individuals affected by a breach to regularly review their banking and credit card statements. If an individual notices any suspicious activity related to their SIN, they should report it to the police, contact the Canadian Anti-Fraud Centre and inform Service Canada.
More information is available on the Service Canada website:
In the list of those who may be affected, what do you mean by “employee”?
Many types of individuals have an employment relationship with the University, such as:
- Regular academic staff
- Contract academic staff (including contract instructors/sessionals)
- Regular staff (including all excluded and unionized employees)
- Staff hired on a term or casual basis
- English Language Program instructors
- Research assistants and research associates
- Markers, teaching assistants, tutors, mentors, and student assistants
- Work study students paid by the University
- Post-doctoral fellows paid by the University
If I do not have an employment relationship with the University but received an honorarium, does that make me an “employee”?
No.
If I paid student fees for someone else, does that mean I’m included in this notification?
No.
In the list of those who may be affected, what do you mean by “contractor”?
The University collects social insurance numbers from many types of individuals who provide services to the University for which they are compensated, or who receive University funds for other purposes, such as:
- PACE contract instructors
- Individuals in receipt of honorariums, such as guest speakers
- Undergraduate Student Research Award and Mitacs recipients
- Service providers where the payment is to the individual, e.g., performers, tradespeople
Are classroom computers secure?
Classroom computers are secured in multiple ways. These computers do not have access to campus network services such as file storage and printing. They are further secured to prevent any changes or installation of software, and are reset with each new session.
Does the University require students, faculty, and staff to use multi-factor authentication?
Multi-factor authentication (MFA) has been applied on multiple campus-wide services. MFA is mandatory for use by all faculty, staff and students to allow access to these services. Continued and ongoing progress is being made to expand the services protected by MFA.
Why does the university hold on to the data for so long?
All universities must retain information about their employees and students for long periods of time. Various legal requirements apply, for example, regarding the retention of tax, payroll, and pension information. There are also operational needs to know who has been employed with us in the past, and to have a record of our students for purposes include alumni matters and the issuance of transcripts. There is no single retention policy covering employee and student information because the need to keep individual records varies based on law and operational needs. The University has policies in place governing the secure storage of employee and student information.
What are the policies around how data is stored?
The storing of information at the University is governed by the Information Security Policy and Procedures.
What additional measures are being taken so that a breach like this doesn't happen again?
We have re-secured our network and implemented special measures to protect it. We continue to consider the results of our investigation and are implementing plans to further improve our cyber security posture.
Is the process used for new and current employees to submit personal information to HR secure?
Although the cyber attack on our network exposed employee information, the submission of information to HR follows a secure process.
Is the University’s network now secure?
Yes—we have worked with our expert partners to get all our systems safely and securely back online, and our experts our currently monitoring the network continuously for signs of any problems.
What was installed on UWinnipeg-managed computers during the in-person update?
SentinelOne (or “S1”) and Huntress were installed. These are leading “endpoint security” tools that protect end-user computers from malicious threats and cyber attacks.
Why the need for this new tool?
As networks have evolved, endpoint security tools like S1 and Huntress have become essential to cyber protection. We rolled out S1 and Huntress as part of our recovery to the recent cyber attack to gain confidence that our network had been re-secured and is safe.
Though we had this type of tooling on part of our network prior the incident, this is a major advance in our network security and is to the benefit of all our community. It will help us avoid the type of disruption that we have recently faced, and it will advance security around employee and student personal information, research data, and other sensitive data.
What specific events, system messages, or activities are included in the system logs recorded by S1?
S1 and Huntress collect data about the computing processes being run on an endpoint and data about how the endpoints are configured. They analyze the data using automated means to detect anomalies that may represent threats and vulnerabilities.
How will the data collected by S1 be used, and who within S1 will have access to this information?
S1 and Huntress collect data using automated means to detect anomalies that may represent threats and vulnerabilities. Alerts are directed to authorized individuals in the Technology Sector, currently via the security experts who are helping the University respond to the cyber incident.
Does the University have access to the logs monitored by S1?
No.
What safeguards are in place to prevent the misuse of collected data or its access for non-security purposes?
S1 and Huntress data are secured and only accessible to authorized personnel from a security company. This company is under a contract with the University that requires it to safeguard information. Alerts are reported to authorized personnel in the Tech Sector.