fb pixel

Cyber attack updates and support

Last updated August 15, 2024 (This page is updated as additional information becomes available. The original announcement can be found here.)

We announced on March 25, 2024, that our university community had been subject to a cyber attack. On April 4, 2024, we confirmed that the stolen data included personal information. A list of the groups likely affected, as well as the types of information exposed, was shared on the University website. Individuals likely affected were provided a two-year credit monitoring service.

At that time, we committed to completing a thorough investigation to determine whether others were affected, and to provide further notifications based on our findings. That investigation has now concluded, and we have updated our notification of groups likely affected and information exposed:

Students – Undergraduate and graduate

Population likely affected

Information exposed

All students enrolled in undergraduate and graduate programs since the academic year beginning in September 2018

Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, fee and tuition amounts, gender information, and marital status information

NSERC Undergraduate Student Research Awards (USRA) winners and internal USRA Humanities and Social Sciences award winners with date of birth or social insurance number on file in 2003-2010

Name, mailing address, date of birth, and social insurance number

 

Master's in Development Practice students in 2011-2018

Name, mailing address, phone number, email, academic history, and employment history

Master's in Development Practice students on field placements in 2013-2023

Name, passport information, date of birth, and banking information

Undergraduate students in 2008-2015

 

Student number, date of birth, citizenship, address, gender, and age

Graduate students in 2010-2015

 

Student number, date of birth, citizenship, address, gender, and age

Graduates (undergraduate and graduate programs) in 2008-2018

 

Name, date of birth, student number, phone number, mailing address, email, and program information

Master’s in Development Program students who provided personal health information in support of a field placement in 2014-2023

Name, information regarding health insurance, and Personal Health Identification Number

 

Master’s in Development Program students who provided personal health information in support of an incomplete course request or retroactive withdrawal from 2015 to March 2024

Name and personal health information provided by the student in support of their request

 

Business and Administration Students who provided personal health information in support of an academic appeal in 2018-2022

Name and personal health information provided by the student in support of their appeal

 

Graduate students who provided personal health information in support of an academic appeal in 2020-2023

Name and personal health information provided by the student in support of their appeal

Note: Some undergraduate and graduate students may also be included in additional groups, such as “Students – General” and “Other groups.”

Students – Professional, Applied and Continuing Education (PACE)

Population likely affected

Information exposed

All students enrolled in PACE programs since the academic year beginning in September 2019

Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, and tuition amounts

PACE students in 1987-2006

 

Name, student number, mailing address, phone number, gender, date of birth, and grades

PACE students who requested transfer credits in 2018

Name, date of birth, student number, email, and transcripts

PACE full-time, international students issued a refund by wire payment in 2016-2018

Name, date of birth, student number, email, and banking information

PACE graduates in 2010-2012

 

Name, date of birth, student number, phone number, mailing address, email, and program information

PACE students who provided personal health information in support of an academic appeal from 2022 to March 2024

Name and personal health information provided by the student in support of their appeal

Note: Some PACE students may also be included in additional groups, such as “Students – General” and “Other.”

Students – English Language Program (ELP)

Population likely affected

Information exposed

All students enrolled in ELP programs since the academic year beginning in September 2019

Names, programs of study, street addresses, student numbers, dates of birth, social insurance numbers, and tuition amounts

ELP graduates in 2018

 

Name, date of birth, student number, phone number, mailing address, email, and program information

Note: Some ELP students may also be included in additional groups, such as “Students – General” and “Other.”

Students – Collegiate

Population likely affected

Information exposed

Collegiate students in 2018-2022

 

Name, date of birth, student number, gender, Manitoba Education and Training number, citizenship, email, parent email, phone number, and mailing address

Collegiate graduates in 2008-2009, 2011-2013, and 2018

Name, date of birth, student number, phone number, mailing address, email, and program information

Note: Some Collegiate students may also be included in additional groups, such as “Students – General” and “Other.”

Students – General (individuals from all programs and divisions)

Population likely affected

Information exposed

All students to whom the University issued T4A forms since 2016

Names, street addresses, social insurance numbers, and funding amounts

Students who applied for an award in 2017-2020

 

Name, phone number, student number, email, type of award and amount, mailing address, citizenship, date of birth, and information about financial need

International students from 2014 to March 2024

 

Name, student number, date of birth, and Immigration, Refugees and Citizenship Canada number

Students with accounts sent to collections from 2011 to March 2024

Name, email, mailing address, student number, date of birth, and amount owing

Students who paid by wire payment from 2014 to March 2024

Name, student number, banking information, and amount

Students who paid with a cheque declined for insufficient funds from 2012 to March 2024

Name, student number, cheque information, and amount

Students who provided personal health information in a personal statement when applying for an award from 2016 to March 2024

Name and personal health information provided by the student in support of their application

Employees

Population likely affected

Information exposed

All current employees and all former employees employed since 2003

Names, social insurance numbers, dates of birth, street addresses, phone numbers, and compensation information

All current employees and all former employees employed since 2015

Bank account information

 

Employees on maternity leave, long-term disability leave, or sick leave in 2010 and 2016

Name and type of leave

Employees to whom a letter was sent regarding long-term disability leave in 2010-2021

Name and details of long-term disability benefits

Employees who applied for long-term disability leave from 2020 to March 2024

Name, condition/diagnosis information, symptoms, medical history, hospitalization information, medical information, treatment plans, and medications

Employees who provided a medical note in support of a maternity leave application from 2021 to March 2024

Name and medical note with confirmation of pregnancy and due date

Employees to whom a letter was sent requesting additional information from a doctor regarding sick leave in 2010-2021

Name and request for clarification on restrictions and limitations previously submitted

 

Employees on sick leave from 2021 to March 2024

Name and personal health information provided by employee in support of sick leave request

Employees who requested or had a workplace accommodation from 2019 to March 2024

Name and personal health information provided by employee in support of accommodation request

Program applicants and prospective students

Population likely affected

Information exposed

ELP applicants in 2020-2021

Name, date of birth, age, gender, and student number

International applicants to undergraduate studies in 2021-2023

Name, date of birth, student number, citizenship, email, mailing address, and program of study

Prospective students from Africa and the United States from 2021 to March 2024

Name, date of birth, email address, mailing address, and citizenship

International applicants who have not been admitted pending study permit approval in 2024.

Name, student number, date of birth, and Immigration, Refugees and Citizenship Canada number

Applicants to PACE programs from 2017 to March 2024

 

Name, date of birth, passport, transcripts, phone number, and address

Applicants to PACE Connecting Aboriginals to Manufacturing program in 2011-2012

Name, date of birth, email, mailing address, and CV information

Prospective PACE students from international recruiting fairs from 2023 to March 2024

Name, email, phone number, and date of birth

Applicants to the Master's in Development Practice program and prospective students, including qualifying year students, who were unsuccessful, deferred, or did not attend from 2011 to March 2024

Name, mailing address, phone number, email, date of birth, academic history, and employment history

Applicants to graduate studies programs in 2018-2020

Name, phone number, student number, email, mailing address, educational history, date of birth, and gender

Contractors

Population likely affected

Information exposed

Homestay host families and host family applicants in 2016-2021

 

Name, mailing address, email, phone number, occupation, country of birth, and home profile information

Master's in Development Practice guest speakers from whom a social insurance number was collected from 2012 to March 2024

Name, mailing address, email, social insurance number

All contractors from whom the University collected a social insurance number from 2015 to March 2024

Names, street addresses, social insurance numbers, and payment amounts

Honour nominees

Population likely affected

Information exposed

Honorary Doctorate, Professor Emeritus/Emerita, and Fellowship in United College & The University of Winnipeg nominees from 2005 to March 2024

Name, email, phone number, and CV information

Distinguished Alumni award nominees from 2017 to March 2024

Name, email, phone number, and CV information

Position applicants

Population likely affected

Information exposed

Banting Postdoctoral Fellowship candidates who submitted applications to UWinnipeg from 2019 to March 2024

Name, mailing address, date of birth, residency status, phone number, email, and CV information

Applicants to Criminal Justice and Indigenous Law position from January to March 2024

Name, email, phone number, and CV information

Applicants to instructor positions in Criminal Justice from January to March 2024

Name, email, phone number, and CV information

Applicants to Health and Safety Specialist position in 2014

Name, email, phone number, and CV information

Applicants to Insurance and Risk Management Coordinator position in 2020

Name, email, phone number, and CV information

Applicants to Employee Health and Wellness Specialist position in 2020

Name, email, phone number, and CV information

Applicants to Employee Health and Wellness Specialist position in 2020

Name, email, phone number, and CV information

Applicants to Research Counsel position in 2023

Name, email, phone number, and CV information

Applicants to Senior Counsel position in 2023

Name, email, phone number, and CV information

Applicants to Policy Analyst position in 2023

Name, email, phone number, and CV information

Applicants to Director of Risk Management and Campus Security position in 2023

Name, email, phone number, and CV information

Applicants to Dean of Education position in 2019

Name, email, phone number, and CV information

Applicants to Vice-President, Finance and Administration position in 2022

Name, email, phone number, and CV information

Applicants to PACE instructor positions from 2014 to March 2024

Name, email, phone number, and CV information

Applicants to contract academic staff positions for Master's in Development Practice courses in 2012-2023

Name, mailing address, email, phone number, date of birth, and CV information

Applicants to Communication Events Assistant and Executive Assistant positions in the Faculty of Business and Economics in 2022

Name, email, phone number, and CV information

 

Applicants to Faculty of Business and Economics positions in 2011-2012

Name, email, phone number, and CV information

Applicants to Institute of Urban Studies positions in 2007-2008, 2011, and 2013-2021

Name, email, phone number, and CV information

Applicants for AVP Engagement, HR, and Indigenous; Executive Director Marketing and Communications; Provost and VP Academic; VP Finance and Administration; VP Research and Innovation; and AVP Indigenous Engagement positions from 2019 to March 2024

Name, email, phone number, and CV information

 

Applicants to contract academic staff positions in the Department of Business and Administration in 2020

Name, email, phone number, and CV information

 

Other groups

Population likely affected

Information exposed

Spouses of PACE part-time students whose social insurance number was included on a Manitoba Student Aid application form from 2020 to March 2024

Social insurance number and income

India Centre event attendees who submitted a cheque in 2017-2022

Name, email, phone number, mailing address, and cheque information

Canadian Journal of Urban Research members who paid by cheque from 2004 to March 2024

Name, address, and cheque information

Institute of Urban Studies interns and visiting scholars in 2010 and 2020

Name, email, phone number, and CV information

Individuals who provided personal health information in relation to a complaint or concern regarding discrimination, harassment, or sexual violence, or a security incident, from 2015 to March 2024

Name or student number, personal health information collected in relation to details of complaint, concern, or incident, information about care received, and follow-up services offered and received

Individuals who provided personal health information in relation to a security incident in 2007-2014

 

Name or student number, personal health information collected in relation to details of complaint, concern, or incident, information about care received, and follow-up services offered and received

Those included in a newly identified group are eligible for two years of credit monitoring service. This service allows individuals to check for signs of identity fraud so protective action can be taken. Enrolling in the credit monitoring service is one of the best means of protecting yourself. You can set it to proactively alert you if anyone is opening a credit account in your name.

If you are included in one of the above groups and have not already received two years of credit monitoring, you can request it here. To make use of this credit monitoring service, you must sign up by December 31, 2024. If you have already received a credit monitoring code, you do not need to reach out to us again. Please direct any questions you may have to incident.support@uwinnipeg.ca.

It is disturbing that higher education institutions like the University and other public sector organizations are being targeted by cyber attacks. This has been a terrible incident that has directly impacted our community. We are grateful to the staff members who worked many long hours to restore systems following the attack, as well as to our entire UWinnipeg community for their patience and understanding through this challenge. Rest assured that we are carefully considering the results of our investigation and will emerge from this incident with stronger cyber defences.

Questions and Support

If you have questions that are not answered in the FAQ below, please email us at incident.support@uwinnipeg.ca or call us at 204.786.9325.


FAQ

Cyber attack details

Where was the data stolen from?

Data was stolen from a departmental file share – our “o drive.” The University has copies of the data, and access to the o drive has been restored.

Was the O drive secured?

Yes. Access to the o drive was limited to authorized users only, and the drive itself was encrypted.

Has the data been leaked?

Our experts continue to watch for this. We do not believe that the data has been leaked.

Are you aware of any misuse linked to this incident? What can we do now?

No. Unfortunately, organizations across the public and private sectors have been repeatedly targeted by cyber criminals, and our incident is one of many. We all have been and will continue to be at risk of scams and should be vigilant. We also encourage all affected individuals to enrol in the credit monitoring service.

Why were you not able to provide final updates earlier?

In order to accurately update this list, a very large number of files needed to be carefully examined by our investigation team. Now that this investigation is complete, we can provide an accurate and fully updated list.

Will there be additional updates to this list?

Now that all the stolen files have been examined, we do not anticipate that additional groups will be added to this list.

Information for those who may be affected

What should I do to protect myself?

As a proactive step, we are providing individuals who are likely affected a two-year credit monitoring service from TransUnion. This is a service that allows one to check for signs of identity fraud so protective action can be taken. Enrolling in the credit monitoring service is one of the best means of protecting yourself. You can set it to proactively alert you if anyone is opening a credit account in your name.

If you are included in one of the groups listed above and have not yet received two years of credit monitoring, complete this form to request instructions for how to enrol. If you have any questions or concerns, please email us at incident.support@uwinnipeg.ca.

If I already signed up for credit monitoring following the initial notification from the University, do I need to do so again?

No. If you have already received a credit monitoring enrolment code from the University, you do not need to request another one. If you have not yet used the code to enrol, you can do so now. Please note that codes received prior to August 15, 2024, will expire on August 30, 2024.

Should I place a fraud alert on my credit file? 

A fraud alert is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. They are protective because they may cause lenders to take extra steps to verify identity. Given they can also cause transaction delays, we are leaving that choice to you.

Placing a fraud alert on your TransUnion file is free. You can also elect to place a fraud alert on your Equifax credit file.

Should I replace my bank account number and other identification numbers?

Enrolling in the credit monitoring service is one of the best means of protecting yourself. We are not recommending that employees and former employees attempt to change their bank account numbers or their other identification numbers, and social insurance numbers cannot be changed without evidence of actual misuse.

Are individuals other than current and past students and employees affected?

Some specific groups of individuals who were never students or employees have been identified. Please review the list above. If you are included in one of these groups and have not received instructions for signing up for two years of credit monitoring, please email us at incident.support@uwinnipeg.ca.

Why are you not providing both TransUnion and Equifax services?

Having both services is largely redundant.

Why are you not providing more than two years of credit monitoring service?

Given the prevalence of cyber attacks and data theft, the impact of any single event is difficult to determine. In this situation, many organizations will provide a single year of credit monitoring. We elected to provide two years of service, and believe that to be fair.

Will the University compensate me?

The University is providing credit monitoring protection and not compensation. However, if you have an identity theft problem that you believe to be linked to this incident, please let us know right away. There is also insurance available to those who enrol in the credit monitoring service, which is another reason why you should enrol.

Will enrolling in the credit monitoring service affect my credit score?

No, it will not affect your credit score.

I used my work computer to do my personal banking. Should I contact my bank to notify them of the cyber incident?

No, but if you are concerned, you can change your online banking password and, if it isn’t mandatory at your bank, enable multi-factor authentication for access to your bank account.

What should I do if my SIN was part of the information exposed?

You should enrol in the TransUnion monitoring service being provided by the University. Service Canada also advises individuals affected by a breach to regularly review their banking and credit card statements. If an individual notices any suspicious activity related to their SIN, they should report it to the police, contact the Canadian Anti-Fraud Centre and inform Service Canada.

More information is available on the Service Canada website:

In the list of those who may be affected, what do you mean by “employee”?

Many types of individuals have an employment relationship with the University, such as:

  • Regular academic staff
  • Contract academic staff (including contract instructors/sessionals)
  • Regular staff (including all excluded and unionized employees)
  • Staff hired on a term or casual basis
  • English Language Program instructors
  • Research assistants and research associates
  • Markers, teaching assistants, tutors, mentors, and student assistants
  • Work study students paid by the University
  • Post-doctoral fellows paid by the University

If I do not have an employment relationship with the University but received an honorarium, does that make me an “employee”?

No.

If I paid student fees for someone else, does that mean I’m included in this notification?

No.

In the list of those who may be affected, what do you mean by “contractor”?

The University collects social insurance numbers from many types of individuals who provide services to the University for which they are compensated, or who receive University funds for other purposes, such as:

  1. PACE contract instructors
  2. Individuals in receipt of honorariums, such as guest speakers
  3. Undergraduate Student Research Award and Mitacs recipients
  4. Service providers where the payment is to the individual, e.g., performers, tradespeople
Campus cyber security

Are classroom computers secure?

Classroom computers are secured in multiple ways. These computers do not have access to campus network services such as file storage and printing. They are further secured to prevent any changes or installation of software, and are reset with each new session.

Does the University require students, faculty, and staff to use multi-factor authentication?

Multi-factor authentication (MFA) has been applied on multiple campus-wide services. MFA is mandatory for use by all faculty, staff and students to allow access to these services.  Continued and ongoing progress is being made to expand the services protected by MFA.

Why does the university hold on to the data for so long?

All universities must retain information about their employees and students for long periods of time. Various legal requirements apply, for example, regarding the retention of tax, payroll, and pension information. There are also operational needs to know who has been employed with us in the past, and to have a record of our students for purposes include alumni matters and the issuance of transcripts. There is no single retention policy covering employee and student information because the need to keep individual records varies based on law and operational needs. The University has policies in place governing the secure storage of employee and student information.

What are the policies around how data is stored?

The storing of information at the University is governed by the Information Security Policy and Procedures.

What additional measures are being taken so that a breach like this doesn't happen again?

We have re-secured our network and implemented special measures to protect it. We continue to consider the results of our investigation and are implementing plans to further improve our cyber security posture.

Is the process used for new and current employees to submit personal information to HR secure?

Although the cyber attack on our network exposed employee information, the submission of information to HR follows a secure process.

Is the University’s network now secure?

Yes—we have worked with our expert partners to get all our systems safely and securely back online, and our experts our currently monitoring the network continuously for signs of any problems.

Security software on UWinnipeg-managed computers

What was installed on UWinnipeg-managed computers during the in-person update?

SentinelOne (or “S1”) and Huntress were installed. These are leading “endpoint security” tools that protect end-user computers from malicious threats and cyber attacks.

Why the need for this new tool?

As networks have evolved, endpoint security tools like S1 and Huntress have become essential to cyber protection. We rolled out S1 and Huntress as part of our recovery to the recent cyber attack to gain confidence that our network had been re-secured and is safe.

Though we had this type of tooling on part of our network prior the incident, this is a major advance in our network security and is to the benefit of all our community. It will help us avoid the type of disruption that we have recently faced, and it will advance security around employee and student personal information, research data, and other sensitive data.

What specific events, system messages, or activities are included in the system logs recorded by S1?

S1 and Huntress collect data about the computing processes being run on an endpoint and data about how the endpoints are configured. They analyze the data using automated means to detect anomalies that may represent threats and vulnerabilities.

How will the data collected by S1 be used, and who within S1 will have access to this information?

S1 and Huntress collect data using automated means to detect anomalies that may represent threats and vulnerabilities. Alerts are directed to authorized individuals in the Technology Sector, currently via the security experts who are helping the University respond to the cyber incident.

Does the University have access to the logs monitored by S1?

No.

What safeguards are in place to prevent the misuse of collected data or its access for non-security purposes?

S1 and Huntress data are secured and only accessible to authorized personnel from a security company. This company is under a contract with the University that requires it to safeguard information. Alerts are reported to authorized personnel in the Tech Sector.