Cyberattack and Exposure of Personally Identifiable Information

The university is also listing data categories for those involved in the cyberattack. If you meet the criteria for one or more of the following categories, please refer to our next steps section or navigate to our contact section for live assistance. 

Faculty data

• Continuing Faculty with active ranks in 2018
• Continuing and Term Librarians with active ranks in 2018
• Term Instructors actively teaching in 2018 (including Term Lecturers, Term Lab Instructors, Visiting Faculty, Post Retirement Faculty)
• Sessional Instructors actively teaching in 2018

Student admissions and enrollment data

• Student who enrolled between 2012-2020
• International who enrolled between 2009-2018
• Student enrollments between fall 2012 - spring 2019

Student course data

• Engineering Science & Math student grades between 2013-2018
• Student grades for Pre-Calculus and Calculus between 1999-2018
• Statistics 403 course grade data for transfer credit students between 2000-2016

Student other data

• Students with international characters (such as à, ä, â, 市 ...etc.) in their name or address between 2007-2014 

Student academic status data

• Students who applied for financial aid between 1988 - 2017
• Students on academic probation in December 2018
• Undergraduate and graduate student honour and awards between 1968-2020
• Students who made transcript requests between 2016-2019

Student group data

• Indigenous students in fall 2018
• Fraser International College (FIC) students between 2014-2018
• Student athletes between 2006-2014
• National Collegiate Athletic Association (NCAA) student data from 2018

Spreadsheet data on the breached server contained personally identifiable information for a number of current and former students, faculty, staff and student applicants. The personal information varies for each individual based on the type of information stored within the spreadsheets. The majority of personally identifiable information stored in the server was student/staff ID numbers with at least one other data point. The other data points are varied. Examples include things like admission or academic standing data.

The university is working to notify all impacted individuals with the details of what may have been exposed for each person.

The number of individuals impacted, with at least one type of personally identifiable information, is approximately 200,000. The personally identifiable information for approx. 75% of those impacted (150,000 people) is their student/employee ID number and at least one other data element, but no name identifier (first name/last name).

Information security personnel were alerted to the incident on February 5 and upon investigation it was discovered that the server had been attacked. The compromised server was shut down immediately when the breach was discovered. The server was breached on February 3.

SFU is currently notifying individuals impacted by this breach and assisting those who may have any questions or need assistance. The university is also:

• Continuing to conduct a full forensic analysis
• Coordinating with the Office of the Information and Privacy Commissioner (OIPC) for B.C.
• Auditing internal policies and procedures to identify improvements
• Accelerating initiatives that continue strengthening our cyber-security systems

Information security and transparency remain at the forefront of SFU’s commitment to this community, and we truly regret that this has happened.

The breached server held a large number of spreadsheets that contained both public and personal data, which made the analysis of determining what personal information may have been exposed very detailed and time-consuming. In order to understand what information may have been accessed and of that, what may be personally identifiable information, our staff needed to review every record on the server. Our teams worked around the clock to complete this review as quickly as possible. We also needed to aggregate the data to summarize all personal information that may have been exposed for each individual.

To not be blocked as spam by external email providers, we are spacing out the mailing of our notification to individuals with external email addresses (e.g., Gmail, Hotmail, etc.) over one week, from February 16 - February 23.

It is important to note that although some personal information may have been exposed the probability of identity theft from this attack is low. The data exposed does not include information such as banking details, Social Insurance Numbers (SIN) or passwords.

Cybersecurity attacks are an ongoing global threat and cyberattack attempts are on the rise. During this incident, an attacker was able to access data on only one server. As there was data with personal information, there is a risk that the information may be sold or publicly disclosed.  

The university works continually to ensure that the security of SFU information technology systems is robust, but businesses are facing increasingly sophisticated attacks that continue to evolve and advance in their methods. 

The probability of identity theft from this attack is low. The data exposed does not include information such as banking details, Social Insurance Numbers (SIN) or passwords.

The cyberattack in March 2020 was very different than this current one; the two attacks are unrelated. This incident and the previous incident from last year are separate types of attacks with distinctly different forensic evidence.

Information security is an institutional priority. The university has been steadily increasing our information security systems and continues to do so. In support, and with the support, of the university community SFU is working to further safeguard our online environments and platforms.

SFU has moved the majority of the university’s servers into a highly secure SFU Cloud environment. The Cloud continuously verifies users, resources, devices and applications before granting even a minimum level of access (also known as a "zero-trust" network).

In 2020, SFU released several new services to help individuals further safeguard their information online. SFU has implemented multi-factor authentication, which uses something you know (such as your password) and something you have (such as your mobile device) to securely verify your identity before logging in to our services. As per SFU’s announcement in October 2020, by May 2021 we will require all faculty and staff at SFU to be enrolled in MFA.

For faculty or staff working remotely, SFU has also introduced an encrypted and secure Virtual Private Network (VPN) to use while working off campus. Endpoint security was also improved last year with the implementation of the managed device project.