MENU

Privacy breach and password change request notice, March 2, 2020

March, 2020

A breach of privacy affecting personal information at Simon Fraser University (SFU) was identified on February 28, 2020. The purpose of this notice is to explain what we currently know about this breach, what steps the University is taking, and what steps you can take to protect your personal information, privacy, and identity. The information in this notice applies to faculty, staff, students, alumni, and retirees who joined the University prior to June 20, 2019.

Change your password

This message is being published on behalf of Mark Roman, Chief Information Officer.

I regret to inform you that there has been a breach of privacy affecting personal information at Simon Fraser University (SFU).  The purpose of this notice is to explain what we currently know about this breach, what steps the University is taking, and what steps you can take to protect your personal information, privacy, and identity.

The information below applies to faculty, staff, students, alumni, and retirees who joined the University prior to June 20, 2019. If this includes you, please promptly change your SFU Computing ID password. While it does not appear that any SFU Computing accounts have been compromised, changing your password now will significantly mitigate that risk.

The steps we ask you to take

The immediate steps you should take to protect your personal information, privacy, and identity are:

  • Promptly change your SFU Computing ID password. This should only take you 2 minutes. Change your password here.
  • Use your new password when connecting to SFU Wi-Fi and any online applications such as goSFU, myINFO, SFU Mail, and SFU Vault.
  • Monitor personal accounts and memberships of all kinds for any unusual activity over the next several months.

The privacy breach

The privacy breach occurred when SFU’s system was subjected to a ransomware attack that found a weakness in the way the information was handled. This weakness has been discovered and corrected. No SFU systems are currently exposed. The data was exposed on February 27, 2020, the issue was identified and corrected on February 28, 2020.

The personal information exposed and the potential risks

The personal information that was exposed is comprised of the types listed below:

  • SFU Computing ID
  • SFU student/employee ID number
  • First, last and preferred names
  • Birthdate
  • Employee group
  • Mail lists which the SFU Computing ID belongs to
  • Course enrollment
  • External email address
  • Data from web forms 
  • Encrypted passwords were also exposed.

The potential risks and harms connected with the exposure of your personal information are:

  • Identity theft;
  • Additional personal information being discovered by linking the exposed information with other sources of information; and
  • Unsolicited bulk or commercial email.

The steps SFU is taking

SFU is taking immediate steps to control or reduce the potential harm from this breach and to prevent future incidents.  We are:

  • Notifying affected individuals about the data breach;
  • Assisting individuals upon request and as needed to mitigate any harm;
  • Investigating the cause and extent of the data breach and taking further action as appropriate;
  • Evaluating the risks associated with the breach and responding to them as we receive more information;
  • Reviewing and changing as appropriate physical, procedural, and technical security measures;
  • Reviewing and changing as appropriate internal operating policies and procedures; and
  • Reporting this privacy breach to BC's Office of the Information and Privacy Commissioner.

Who to contact for help

If you have questions, want more information, or need further assistance, please contact:

IT Services

Telephone: 778-782-4828
Email: its-help@sfu.ca
In-person: IT Service Centres in the Burnaby (SCP 9300 or WMC2262), Surrey (Room 353) or Vancouver (HC1300) campuses.

Contacting the Office of the Information and Privacy Commissioner for British Columbia

You can consult the website for that Office at https://www.oipc.bc.ca/ for general information about protection of personal privacy.  You have the right to complain to the Commissioner by writing to:

Information and Privacy Commissioner
PO Box 9038, Stn Prov Govt
Victoria, British Columbia V8W 9A4
Tele. 250-387-5629  Fax 250-387-1696
If you submit a complaint, please provide the Commissioner’s office with:

  1. Your name, address and telephone number;
  2. A copy of this letter; and,
  3. The reasons or grounds upon which you are complaining.

We deeply regret this incident, are working diligently to contain the situation and are committed to helping mitigate the potential risks and harm to our faculty, staff, students, alumni, and retirees.

Yours truly,

Mark Roman
Chief Information Officer

FAQ

General questions

When was this breach identified by SFU?

The data was exposed on February 27, 2020, and the issue was identified and corrected on February 28, 2020.

What personal information was included?

The personal information about you that was disclosed is comprised of the types listed below:

  • SFU Computing ID
  • SFU student/employee ID number
  • First, last, and preferred names
  • Birthdate
  • Employee group
  • Mail lists which the SFU Computing ID belongs to
  • Course enrollment
  • External email address
  • Encrypted passwords were also exposed.
  • Data from web forms:
    • 2017 BBY Math Camp Acceptance
    • 2017 Math Camp - Teacher Application
    • 2017 SRY Math Camp Acceptance
    • AP Position in Environmental Economic Geography
    • Apply to Co-op Application Form
    • Burnaby Audio Visual Consultation
    • Campaigner - Email Marketing Service - Sub-Account Creation Request Form
    • Coast Capital Savings Venture Connection - Mentor Meet
    • Collaboration Tool - SharePoint(ol
    • Department of Geography TA Marker Job Application - External
    • Department of Geography TA Marker Job Application - Internal
    • Department of Mathematics - Burnaby Camp Payment
    • Department of Mathematics - Camp Payment
    • Department of Mathematics - K-12 Students & Teachers School Maillist
    • Digital Records Transfer Request Form: Private Records
    • Digital Records Transfer Request Form: University Records
    • Employment Opportunities - Sessional Application Form
    • Employment Opportunities - TA TM Application Form
    • Environment Research Talks
    • Faculty of Applied Sciences - Meet a Student
    • Faculty of Applied Sciences - Student Employment Application
    • Faculty of Environment EnvirO 2017
    • Faculty of Environment EnviroFrosh 2018
    • Faculty of Environment EnvironMentors
    • Faculty of Environment Graduate Student Event Survey
    • Faculty of Environment Profile Photoshoots
    • Finance - Compliments and Concerns
    • Finance - Feedback, Questions, or Comments
    • Finance Program Phase Two
    • Financial Aid and Awards Advising
    • Food for Thought Feedback, Questions, or Comments
    • Formation des enseignants - Programme de formation professionnelle - ANF inscription
    • Gerontology Research Centre Newsletter
    • Graduate Progress Reports FAQ
    • Impacts of Bicycle Infrastructure in mid-Sized Cities - Contact Us
    • India Connect SFU: Entrepreneurship Co-op
    • Institute for the Humanities - Join Our Mailing List
    • International Community Engagement - SFU Academic-CSO
    • Join STAR Institute
    • Language Learning and Development Lab - Parent Registration
    • Math Camp Nomination - Burnaby
    • Math Camp Nomination - Surrey
    • Math Catcher Expectation Agreement
    • Math Catcher Math Camp Application
    • Opportunities in Geography - Online Application Form - Sessionals
    • Opportunities in Geography - Online Application Form - TA (Internal)
    • Parking Lottery Application
    • Phonological Processing Lab Comments and Questions
    • Privacy Breach Report
    • Professional Master's - Visual Computing Application
    • Program Change - Surrey Campus Registration Form
    • Program Change - Surrey Campus Registration Form
    • Research ImageTech Lab
    • SCD Program Application Form
    • School of Sustainable Energy Engineering Newsletter
    • SFU Geography online application
    • SFU Reconciliation Funding Concepts
    • SFU Reconciliation Report Feedback
    • SLC: Academic English Coaching
    • Standardized Equipment Purchase Program Order Form
    • Stay in touch with Faculty of Environment
    • Student Services Admission deferral request
    • Student Services Admissions Team Email
    • Student Services Source - Data: General Request
    • Student-Commmunity Engagement Competition - Register now
    • Student-Commmunity Engagement Competition - Register to Attend
    • Student-Commmunity Engagement Competition - Registration
    • Student-Commmunity Engagement Competition - Submit your idea
    • Students Event Career Workshop
    • Submit a Proposal: Innovate: New Approaches to Canadian International Cooperation
    • Symposium on ath & Computation 2017 Registration
    • The Lighthouse Labs Prize at SFU
    • The Work of Words RSVP
    • Undergraduate Student Writing Contest Submissions 2018
    • Vancouver Campus INgagement program
    • Vollunteer Appreciation Gala Alumni RSVP
    • Vollunteer Appreciation Gala Staff and Faculty RSVP
    • Vollunteer Appreciation Gala Student RSVP
    • Women in Computing Science CodeMavens

Were passwords encrypted?

Yes, only encrypted passwords were exposed.

Was my SFU Computing account compromised?

While it does not appear that your SFU Computing account has been compromised, taking the precaution now of changing your password will significantly reduce that risk.

If I used my SFU Computing account password for any other service such as alternate email, what should I do?

You should never use this password again. If you used this password for another service such as alternate email, you should change your passwords there as well. Do not set the password for your SFU Computing account to be the same as you use for other systems or websites.

What can I do to protect myself?

The immediate steps you should take to protect your personal information, privacy, and identity are:

  • Promptly change your SFU Computing ID password. This should only take you 2 minutes. To change your password, click here.
  • Use your new password when connecting to SFU Wi-Fi and any online applications such as goSFU, myINFO, SFU Mail, and SFU Vault.
  • Monitor personal accounts and memberships of all kinds for any unusual activity over the next several months.

What is the University doing to prevent this from happening in the future?

SFU is taking immediate steps to control or reduce the potential harm from this breach and to prevent future incidents. We are:

  • Investigating the cause and extent of the data breach and taking further action as appropriate;
  • Evaluating the risks associated with the breach and responding to them as we receive more information;
  • Reviewing and changing as appropriate physical, procedural, and technical security measures; and
  • Reviewing and changing as appropriate internal operating policies and procedures.

Who can I contact to file a complaint?

You have the right to complain to the University. The procedure for making a privacy complaint to the University is available at https://www.sfu.ca/archives/foipop/PrivacyBreach.html.

You may consult the website for the Office of the OIPC at www.oipc.bc.ca for general information about the protection of personal privacy.  You have the right to complain to the Commissioner by writing to:

Information and Privacy Commissioner
PO Box 9038, Stn. Prov. Govt.
Victoria, British Columbia V8W 9A4
Telephone: 250-387-5629
Email: info@oipc.bc.ca

If you submit a complaint, please provide the Commissioner’s office with:

  1. Your name, address, and telephone number;
  2. A copy of this letter; and
  3. The reasons or grounds upon which you are complaining.

Password reset and system related questions

How do I update my SFU Wi-Fi password?

For full instructions, click here.

How long will it take to reset my password?

It will take approximately two minutes to update your password and up to 30 minutes for the new password to be activated.

Why does synching passwords take so long?

Activating your new password requires a synchronization process to enable you to authenticate on multiple devices. Password change requests are queued and given the high volumes this process may take up to 60 minutes compared with 15 minutes for normal synchronization.

What if I am using multiple devices?

You SFU Computing ID password will need to be updated for each device. We recommend using the below instructions or contacting an IT Service Centre, Desktop Support Consultant or a local IT staff member for assistance.

I cannot authenticate to SFU Wi-Fi on my cell phone after resetting my password. What can I do to fix this?

Try the following:

  • Re-enter your SFU Computing ID and password; or
  • Under your Wi-Fi connection settings try the option to forget network. Connect to data. Re-install XpressConnect. Further instructions can be found hereNote: Samsung Internet appears to be more effective than Google for Samsung cell phones.

I keep getting prompted to update my password for Outlook on my Mac. How do I stop this?

  • Quit Microsoft Outlook and all other Office applications
  • Open Keychain Access.app from the Utilities folder
  • In the search field in Keychain Access, enter “Exchange”
  • In the search results, select each item to view the Account that's listed at the top, and then press Delete. Repeat this step to delete all items for your Exchange account.
  • In the search field, enter “adal”.
  • Select all items whose type is “MicrosoftOffice15_2_Data:ADAL:<GUID>”, and then press Delete.
  • In the search field, enter “office”.
  • Select the items that are named “Microsoft Office Identities Cache 2” and “Microsoft Office Identities Settings 2”, and then press Delete.
  • Quit Keychain Access.
  • Open Outlook again and enter your account information when prompted

Microsoft Outlook (Windows) keeps prompting me for a password. How do I fix this?

  • Follow the steps below to clear cached/saved Windows credentials:
  • Type ‘Control Panel’ in the search field near start menu. Press enter.
  • Select Credential Manager.
  • Select Windows Credentials.
  • Look for the set of credentials that starts with Microsoft_OC1:uri or MicrosoftOffice16_Data:SSPI:j
  • Click on Remove
  • Repeat step 4 and 5 for additional sets of credentials that have the word Outlook or MicrosftOffice in the name.

Why am I no longer able to print from an unmanaged device after changing my SFU Computing ID password?

  • For both Mac OS X and Windows devices (workstations and laptops), you will need to remove saved credentials.

    For Mac OS X follow the steps below:
  • Make note of the printer name (e.g. SFU_Print)
  • Open Finder. Click Go then Utilities.
  • Find the Keychain Access App and double-click.
  • Use the side navigation menu and look for category. Click on Passwords.
  • Locate the printer name. Right click and select delete.
  • Try to print again.
  • Check that Registered User button is selected. Enter username in the following format ADSFU\username where username is your SFU Computing ID.
  • Enter your new password.
  • Check box to Remember this password in my keychain. Click OK.
  • For Windows, follow the steps below: 
  • Click on the Windows icon in the bottom left to pull up the Start Menu.
  • Click on the sprocket icon to open Windows Settings.
  • Search for and click on Credential Manager in the Windows Settings window.
  • Under Manage your credentials select Windows Credentials.
  • Find the entry for your cs-pcut-staff-p.mps.sfu.ca account and click the down arrow in a cirle on the right to expand.
  • Click edit
  • Enter your password
  • Click save