Cyber attack updates and support

(Note: This page was updated as additional information became available. The original announcement can be found here.)

We announced on March 25, 2024, that our university community had been subject to a cyber attack. On April 4, 2024, we confirmed that the stolen data included personal information. A list of the groups likely affected, as well as the types of information exposed, was shared on the University website. Individuals likely affected were provided a two-year credit monitoring service.

At that time, we committed to completing a thorough investigation to determine whether others were affected, and to provide further notifications based on our findings. That investigation has now concluded, and we have updated our notification of groups likely affected and information exposed:

Expand All

Students – Undergraduate and graduate Students – Professional, Applied and Continuing Education (PACE) Students – English Language Program (ELP) Students – Collegiate Students – General (individuals from all programs and divisions) Employees Program applicants and prospective students Contractors Honour nominees Position applicants Other groups

Those included in the groups listed above were eligible to receive two years of credit monitoring service if they requested and signed up for the service before December 31, 2024. This offer is no longer available.

It is disturbing that higher education institutions like the University and other public sector organizations are being targeted by cyber attacks. This was a terrible incident that directly impacted our community. We are grateful to the staff members who worked many long hours to restore systems following the attack, as well as to our entire UWinnipeg community for their patience and understanding through this challenge. Rest assured that we have emerged from this incident with stronger cyber defences.

Questions and Support

If you have questions that are not answered in the FAQ below, please email us at incident.support@uwinnipeg.ca or call us at 204.786.9325.

FAQ

Expand All

Cyber attack details Information for those who may be affected

Should I place a fraud alert on my credit file?

A fraud alert is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. They are protective because they may cause lenders to take extra steps to verify identity. Given they can also cause transaction delays, we are leaving that choice to you.

Placing a fraud alert on your TransUnion file is free. You can also elect to place a fraud alert on your Equifax credit file.

Should I replace my bank account number and other identification numbers?

Enrolling in the credit monitoring service is one of the best means of protecting yourself. We are not recommending that employees and former employees attempt to change their bank account numbers or their other identification numbers, and social insurance numbers cannot be changed without evidence of actual misuse.

Are individuals other than current and past students and employees affected?

Some specific groups of individuals who were never students or employees have been identified. Please review the list above.

Is the credit monitoring service that was provided by the University still available?

This offer expired on December 31, 2024, and is no longer available.

Why didn't you provide more than two years of credit monitoring service?

Given the prevalence of cyber attacks and data theft, the impact of any single event is difficult to determine. In this situation, many organizations will provide a single year of credit monitoring. We elected to provide two years of service, and believe that to be fair.

Will the University compensate me?

The University provided credit monitoring protection and not compensation. However, if you have an identity theft problem that you believe to be linked to this incident, please let us know right away. There is also insurance available to those who enrolled in the credit monitoring service.

I used my work computer to do my personal banking. Should I contact my bank to notify them of the cyber incident?

No, but if you are concerned, you can change your online banking password and, if it isn’t mandatory at your bank, enable multi-factor authentication for access to your bank account.

In the list of those who may be affected, what do you mean by “employee”?

Many types of individuals have an employment relationship with the University, such as:

Regular academic staff
Contract academic staff (including contract instructors/sessionals)
Regular staff (including all excluded and unionized employees)
Staff hired on a term or casual basis
English Language Program instructors
Research assistants and research associates
Markers, teaching assistants, tutors, mentors, and student assistants
Work study students paid by the University
Post-doctoral fellows paid by the University

If I do not have an employment relationship with the University but received an honorarium, does that make me an “employee”?

No.

If I paid student fees for someone else, does that mean I’m included in this notification?

No.

In the list of those who may be affected, what do you mean by “contractor”?

The University collects social insurance numbers from many types of individuals who provide services to the University for which they are compensated, or who receive University funds for other purposes, such as:

PACE contract instructors
Individuals in receipt of honorariums, such as guest speakers
Undergraduate Student Research Award and Mitacs recipients
Service providers where the payment is to the individual, e.g., performers, tradespeople

Campus cyber security

Are classroom computers secure?

Classroom computers are secured in multiple ways. These computers do not have access to campus network services such as file storage and printing. They are further secured to prevent any changes or installation of software, and are reset with each new session.

Does the University require students, faculty, and staff to use multi-factor authentication?

Multi-factor authentication (MFA) has been applied on multiple campus-wide services. MFA is mandatory for use by all faculty, staff and students to allow access to these services. Continued and ongoing progress is being made to expand the services protected by MFA.

Why does the university hold on to the data for so long?

All universities must retain information about their employees and students for long periods of time. Various legal requirements apply, for example, regarding the retention of tax, payroll, and pension information. There are also operational needs to know who has been employed with us in the past, and to have a record of our students for purposes include alumni matters and the issuance of transcripts. There is no single retention policy covering employee and student information because the need to keep individual records varies based on law and operational needs. The University has policies in place governing the secure storage of employee and student information.

What are the policies around how data is stored?

The storing of information at the University is governed by the Information Security Policy and Procedures.

What additional measures are being taken so that a breach like this doesn't happen again?

We have re-secured our network and implemented special measures to protect it. We continue to consider the results of our investigation and are implementing plans to further improve our cyber security posture.

Is the process used for new and current employees to submit personal information to HR secure?

Although the cyber attack on our network exposed employee information, the submission of information to HR follows a secure process.

Is the University’s network now secure?

Yes—we have worked with our expert partners to get all our systems safely and securely back online, and our experts our currently monitoring the network continuously for signs of any problems.

Security software on UWinnipeg-managed computers

What was installed on UWinnipeg-managed computers during the in-person update?

SentinelOne (or “S1”) and Huntress were installed. These are leading “endpoint security” tools that protect end-user computers from malicious threats and cyber attacks.

Why the need for this new tool?

As networks have evolved, endpoint security tools like S1 and Huntress have become essential to cyber protection. We rolled out S1 and Huntress as part of our recovery to the recent cyber attack to gain confidence that our network had been re-secured and is safe.

Though we had this type of tooling on part of our network prior the incident, this is a major advance in our network security and is to the benefit of all our community. It will help us avoid the type of disruption that we have recently faced, and it will advance security around employee and student personal information, research data, and other sensitive data.

What specific events, system messages, or activities are included in the system logs recorded by S1?

S1 and Huntress collect data about the computing processes being run on an endpoint and data about how the endpoints are configured. They analyze the data using automated means to detect anomalies that may represent threats and vulnerabilities.

How will the data collected by S1 be used, and who within S1 will have access to this information?

S1 and Huntress collect data using automated means to detect anomalies that may represent threats and vulnerabilities. Alerts are directed to authorized individuals in the Technology Sector, currently via the security experts who are helping the University respond to the cyber incident.

Does the University have access to the logs monitored by S1?

No.

What safeguards are in place to prevent the misuse of collected data or its access for non-security purposes?

S1 and Huntress data are secured and only accessible to authorized personnel from a security company. This company is under a contract with the University that requires it to safeguard information. Alerts are reported to authorized personnel in the Tech Sector.

Population likely affected	Information exposed
All students enrolled in undergraduate and graduate programs since the academic year beginning in September 2018	Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, fee and tuition amounts, gender information, and marital status information
NSERC Undergraduate Student Research Awards (USRA) winners and internal USRA Humanities and Social Sciences award winners with date of birth or social insurance number on file in 2003-2010	Name, mailing address, date of birth, and social insurance number
Master's in Development Practice students in 2011-2018	Name, mailing address, phone number, email, academic history, and employment history
Master's in Development Practice students on field placements in 2013-2023	Name, passport information, date of birth, and banking information
Undergraduate students in 2008-2015	Student number, date of birth, citizenship, address, gender, and age
Graduate students in 2010-2015	Student number, date of birth, citizenship, address, gender, and age
Graduates (undergraduate and graduate programs) in 2008-2018	Name, date of birth, student number, phone number, mailing address, email, and program information
Master’s in Development Program students who provided personal health information in support of a field placement in 2014-2023	Name, information regarding health insurance, and Personal Health Identification Number
Master’s in Development Program students who provided personal health information in support of an incomplete course request or retroactive withdrawal from 2015 to March 2024	Name and personal health information provided by the student in support of their request
Business and Administration Students who provided personal health information in support of an academic appeal in 2018-2022	Name and personal health information provided by the student in support of their appeal
Graduate students who provided personal health information in support of an academic appeal in 2020-2023	Name and personal health information provided by the student in support of their appeal

Population likely affected	Information exposed
All students enrolled in PACE programs since the academic year beginning in September 2019	Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, and tuition amounts
PACE students in 1987-2006	Name, student number, mailing address, phone number, gender, date of birth, and grades
PACE students who requested transfer credits in 2018	Name, date of birth, student number, email, and transcripts
PACE full-time, international students issued a refund by wire payment in 2016-2018	Name, date of birth, student number, email, and banking information
PACE graduates in 2010-2012	Name, date of birth, student number, phone number, mailing address, email, and program information
PACE students who provided personal health information in support of an academic appeal from 2022 to March 2024	Name and personal health information provided by the student in support of their appeal

Population likely affected	Information exposed
All students to whom the University issued T4A forms since 2016	Names, street addresses, social insurance numbers, and funding amounts
Students who applied for an award in 2017-2020	Name, phone number, student number, email, type of award and amount, mailing address, citizenship, date of birth, and information about financial need
International students from 2014 to March 2024	Name, student number, date of birth, and Immigration, Refugees and Citizenship Canada number
Students with accounts sent to collections from 2011 to March 2024	Name, email, mailing address, student number, date of birth, and amount owing
Students who paid by wire payment from 2014 to March 2024	Name, student number, banking information, and amount
Students who paid with a cheque declined for insufficient funds from 2012 to March 2024	Name, student number, cheque information, and amount
Students who provided personal health information in a personal statement when applying for an award from 2016 to March 2024	Name and personal health information provided by the student in support of their application

Population likely affected	Information exposed
All current employees and all former employees employed since 2003	Names, social insurance numbers, dates of birth, street addresses, phone numbers, and compensation information
All current employees and all former employees employed since 2015	Bank account information
Employees on maternity leave, long-term disability leave, or sick leave in 2010 and 2016	Name and type of leave
Employees to whom a letter was sent regarding long-term disability leave in 2010-2021	Name and details of long-term disability benefits
Employees who applied for long-term disability leave from 2020 to March 2024	Name, condition/diagnosis information, symptoms, medical history, hospitalization information, medical information, treatment plans, and medications
Employees who provided a medical note in support of a maternity leave application from 2021 to March 2024	Name and medical note with confirmation of pregnancy and due date
Employees to whom a letter was sent requesting additional information from a doctor regarding sick leave in 2010-2021	Name and request for clarification on restrictions and limitations previously submitted
Employees on sick leave from 2021 to March 2024	Name and personal health information provided by employee in support of sick leave request
Employees who requested or had a workplace accommodation from 2019 to March 2024	Name and personal health information provided by employee in support of accommodation request

Population likely affected	Information exposed
ELP applicants in 2020-2021	Name, date of birth, age, gender, and student number
International applicants to undergraduate studies in 2021-2023	Name, date of birth, student number, citizenship, email, mailing address, and program of study
Prospective students from Africa and the United States from 2021 to March 2024	Name, date of birth, email address, mailing address, and citizenship
International applicants who have not been admitted pending study permit approval in 2024.	Name, student number, date of birth, and Immigration, Refugees and Citizenship Canada number
Applicants to PACE programs from 2017 to March 2024	Name, date of birth, passport, transcripts, phone number, and address
Applicants to PACE Connecting Aboriginals to Manufacturing program in 2011-2012	Name, date of birth, email, mailing address, and CV information
Prospective PACE students from international recruiting fairs from 2023 to March 2024	Name, email, phone number, and date of birth
Applicants to the Master's in Development Practice program and prospective students, including qualifying year students, who were unsuccessful, deferred, or did not attend from 2011 to March 2024	Name, mailing address, phone number, email, date of birth, academic history, and employment history
Applicants to graduate studies programs in 2018-2020	Name, phone number, student number, email, mailing address, educational history, date of birth, and gender