MENU

Cyberattack and Exposure of Personally Identifiable Information

February, 2021

What happened?

On February 5, 2021 SFU staff discovered that there had been a cyberattack on one of SFU’s servers. SFU IT Services immediately isolated the server and began an investigation. The investigation found that personally identifiable information was stored among the data on this server and we are working to notify all impacted individuals.

Who was impacted?

SFU is directly notifying individuals impacted by this breach and assisting those who may have any questions. Online self-assessment is also available for your SFU account via our cybersecurity webpage.

Can't use the self-assessment tool? Check out the impacted data catagories.

The university is also listing data categories for those involved in the cyberattack. If you meet the criteria for one or more of the following categories, please refer to our next steps section or navigate to our contact section for live assistance. 

Faculty data

  • Continuing Faculty with active ranks in 2018
  • Continuing and Term Librarians with active ranks in 2018
  • Term Instructors actively teaching in 2018 (including Term Lecturers, Term Lab Instructors, Visiting Faculty, Post Retirement Faculty)
  • Sessional Instructors actively teaching in 2018

Student admissions and enrollment data

  • Student who enrolled between 2012-2020
  • International who enrolled between 2009-2018
  • Student enrollments between fall 2012 - spring 2019

Student course data

  • Engineering Science & Math student grades between 2013-2018
  • Student grades for Pre-Calculus and Calculus between 1999-2018
  • Statistics 403 course grade data for transfer credit students between 2000-2016

Student other data

  • Students with international characters (such as à, ä, â, 市 ...etc.) in their name or address between 2007-2014 

Student academic status data

  • Students who applied for financial aid between 1988 - 2017
  • Students on academic probation in December 2018
  • Undergraduate and graduate student honour and awards between 1968-2020
  • Students who made transcript requests between 2016-2019

Student group data

  • Indigenous students in fall 2018
  • Fraser International College (FIC) students between 2014-2018
  • Student athletes between 2006-2014
  • National Collegiate Athletic Association (NCAA) student data from 2018

What can I do to protect myself?

At this time SFU accounts have not been compromised, nor have we found evidence of compromised passwords, banking information, or regulated data (such as Social Insurance Numbers). However, due to the type of personal information exposed you may be at an increased risk for:

  • Third-party profile building
  • Unsolicited bulk or commercial email
  • Identity theft

SFU recommends that you:

  1. Monitor your online information
    Monitor personal accounts and memberships of all kinds for any unusual activity over the next several months.
  2. Add multi-factor authentication (MFA) to your SFU account
    If you are using SFU systems, make sure you are using Multifactor Authentication (MFA). During this time where work and study from home has increased, attackers are using increasingly sophisticated ways to obtain passwords. MFA is one of your best defences against remote attacks. To ensure account security, all faculty and staff will be required to enroll in MFA by May 2021, and all students during the fall 2021 term. MFA will be required for everyone in the SFU community (including retirees and alumnus) by December of this year.
  3. Use SFU's virtual private network (VPN) for remote work
    If you are faculty or staff at the university, please ensure you use SFU’s Virtual Private Network (VPN) to encrypt and secure your connection while working remotely.

What steps is SFU taking?

SFU is notifying individuals impacted by this breach and assisting those who may have any questions or need assistance. Additionally, the university is also:

  • Continuing to conduct a full forensic analysis
  • Coordinating with the Office of the Information and Privacy Commissioner (OIPC) for B.C.
  • Auditing internal policies and procedures to identify improvements
  • Accelerating initiatives that continue strengthening our cyber-security systems

Information security and transparency remain at the forefront of SFU’s commitment to this community, and we truly regret that this has happened.

Have questions or want to speak to someone?

SFU IT SERVICES

If you have any questions or need any assistance with the resources listed, please contact:

B.C OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER (OIPC)

You can consult the OIPC website at https://www.oipc.bc.ca/ for general information about protection of personal privacy. You have the right to complain to the Commissioner by writing to:

Information and Privacy Commissioner
PO Box 9038, Stn Prov Govt
Victoria, British Columbia V8W 9A4

If you submit a complaint, please provide the Commissioner’s office with:

  1. Your name, address and telephone number;
  2. The reasons or grounds upon which you are complaining.

FAQ

What personal information was exposed?

Spreadsheet data on the breached server contained personally identifiable information for a number of current and former students, faculty, staff and student applicants. The personal information varies for each individual based on the type of information stored within the spreadsheets. The majority of personally identifiable information stored in the server was student/staff ID numbers with at least one other data point. The other data points are varied. Examples include things like admission or academic standing data.

The university is working to notify all impacted individuals with the details of what may have been exposed for each person.

What is the total number of accounts impacted?

The number of individuals impacted, with at least one type of personally identifiable information, is approximately 200,000. The personally identifiable information for approx. 75% of those impacted (150,000 people) is their student/employee ID number and at least one other data element, but no name identifier (first name/last name).

How was the attack detected?

Information security personnel were alerted to the incident on February 5 and upon investigation it was discovered that the server had been attacked. The compromised server was shut down immediately when the breach was discovered. The server was breached on February 3.

What has SFU done to address the breach and protect the personal privacy of affected individuals?

SFU is currently notifying individuals impacted by this breach and assisting those who may have any questions or need assistance. The university is also:

  • Continuing to conduct a full forensic analysis
  • Coordinating with the Office of the Information and Privacy Commissioner (OIPC) for B.C.
  • Auditing internal policies and procedures to identify improvements
  • Accelerating initiatives that continue strengthening our cyber-security systems

Information security and transparency remain at the forefront of SFU’s commitment to this community, and we truly regret that this has happened.

Why are individuals being notified more than a week after this information was discovered?

The breached server held a large number of spreadsheets that contained both public and personal data, which made the analysis of determining what personal information may have been exposed very detailed and time-consuming. In order to understand what information may have been accessed and of that, what may be personally identifiable information, our staff needed to review every record on the server. Our teams worked around the clock to complete this review as quickly as possible. We also needed to aggregate the data to summarize all personal information that may have been exposed for each individual.

To not be blocked as spam by external email providers, we are spacing out the mailing of our notification to individuals with external email addresses (e.g., Gmail, Hotmail, etc.) over one week, from February 16 - February 23.

It is important to note that although some personal information may have been exposed the probability of identity theft from this attack is low. The data exposed does not include information such as banking details, Social Insurance Numbers (SIN) or passwords.

Do we know the purpose of this attack?

Cybersecurity attacks are an ongoing global threat and cyberattack attempts are on the rise. During this incident, an attacker was able to access data on only one server. As there was data with personal information, there is a risk that the information may be sold or publicly disclosed.  

The university works continually to ensure that the security of SFU information technology systems is robust, but businesses are facing increasingly sophisticated attacks that continue to evolve and advance in their methods. 

What is the probability of identity theft?

The probability of identity theft from this attack is low. The data exposed does not include information such as banking details, Social Insurance Numbers (SIN) or passwords.

SFU had a breach in March 2020, are SFU’s IT systems sound?

The cyberattack in March 2020 was very different than this current one; the two attacks are unrelated. This incident and the previous incident from last year are separate types of attacks with distinctly different forensic evidence.

Information security is an institutional priority. The university has been steadily increasing our information security systems and continues to do so. In support, and with the support, of the university community SFU is working to further safeguard our online environments and platforms.

SFU has moved the majority of the university’s servers into a highly secure SFU Cloud environment. The Cloud continuously verifies users, resources, devices and applications before granting even a minimum level of access (also known as a "zero-trust" network).

In 2020, SFU released several new services to help individuals further safeguard their information online. SFU has implemented multi-factor authentication, which uses something you know (such as your password) and something you have (such as your mobile device) to securely verify your identity before logging in to our services. As per SFU’s announcement in October 2020, by May 2021 we will require all faculty and staff at SFU to be enrolled in MFA.

For faculty or staff working remotely, SFU has also introduced an encrypted and secure Virtual Private Network (VPN) to use while working off campus. Endpoint security was also improved last year with the implementation of the managed device project.