Manitoba

SINs, banking and personal information stolen in U of Winnipeg cyberattack: investigation concludes

Data — including social insurance numbers, mailing address and bank account information — from University of Winnipeg current and former students, employees and contractors was stolen in a cybersecurity attack last spring.

Information from current student, alumni, employees and contractors leaked on winter semester attack

A castle-like building is seen across a front lawn with snow on it. A sign says "The University of Winnipeg"
The University of Winnipeg releases list of information stolen on cyberattack last spring after concluding months-long investigation. (Gilbert Rowan/Radio-Canada)

Personal data — including social insurance numbers, mailing address and bank account information — from current and former University of Winnipeg students, employees and contractors was confirmed as stolen in a cyberattack last spring. 

The findings come months into an investigation commissioned by the post-secondary institution into the cyberattack that disrupted student services toward the end of the winter semester. 

Almost two weeks after the attack, first detected on March 24, U of W confirmed that data from a university file server had been stolen. In early April, the university shared a preliminary list of the groups likely affected by the attack and began a forensic investigation to determine who had been affected by the leak and what kind of information had been stolen. 

"That investigation has now concluded," the University of Winnipeg said in a news release. "This has been a terrible incident that has directly impacted our community."

An updated list of the data likely stolen during the attack was compiled and released by the university on Thursday. 

Current, former students information leaked

The University said all students enrolled in undergraduate and graduate programs since September 2018, as well as those enrolled in professional, applied, continued education, and  English language programs since 2019, were victims of the data leak. Their names, dates of birth, street addresses and social insurance numbers were among the bulk of information stolen. 

Information from alumni — including their names, phone numbers and mailing address — who graduated between 2008 and 2018 from undergraduate and graduate programs was compromised in the cyberattack. 

Names, passports and banking information from students enrolled from 2013 to 2023 on field placements, as part of the Development Practice master's program, were leaked on the attack. Meanwhile, students from the same graduate program who provided health information for a field placement from 2014 to 2023 were also victims of the cyberattack, with their names, health insurance and personal health identification numbers being stolen. 

Banking information was also stolen from students who made a wire payment to the University from 2014 to March 2024.

The investigation found that some of the stolen data dates back to 1987. The University said the names, dates of birth, and mailing addresses of students who were enrolled in a professional, applied, or continued education program at the post-secondary institution between that year and 2006 were leaked. 

Information of some university applicants from as early as 2011 and prospective students in different programs was also stolen, the university said. 

University's employees, contractors data stolen

Information from current and former employees at the University was also compromised during the cyberattack. 

The University said social insurance numbers, dates of birth and compensation information from all employees that have worked at the post-secondary institution since 2003 was stolen. Banking information of those employed at U of W since 2015 was also leaked. 

Name and personal health information provided by employees in support of sick leave requests from 2021 to March 2024 were part of the medical information from the university's server that was leaked this spring.

The university said the leaked data also included information from contractors, including homestay host families and host family applicants between 2016 and 2021, guest speakers at master program lectures from 2012 to 2024, and all contractors from whom the University requested social insurance numbers. 

It is unclear how many individuals connected to the university had their personal information stolen in the cyberattack.

The university said it is offering a two-year credit monitoring service for those impacted by the cyberattack so they're better protected against identity fraud.