A month after UFV student personal account information was held ransom for $30,000, no additional information has been released.
On October 31, The Cascade reported that private information from 29 UFV accounts was emailed to hundreds of UFV student emails. The malicious email demanded a ransom in exchange for not releasing thousands of more accounts’ information.
UFV director of communications, Dave Pinton, said in an email that the ransom was not paid, and security update measures took approximately eight days to establish. UFV did not enter into negotiations with the party responsible for the email.
“The original malicious email did contain personal information, as we reported, but no further evidence surfaced which indicated they held further information,” Pinton said.
UFV is now aware of how the information was accessed, but to assist with the investigation, and to maintain the security of the the information, would not disclose details, Pinton said.
Pinton said UFV would also not disclose whether the the malicious email’s sender had been identified or not, but said the investigation is ongoing.
To prevent this kind of data breach from happening in the future, UFV’s chief information officer, Darin Lee, said in an email that UFV has implemented more stringent password requirements for the myUFV portal.
“A number of projects are in motion to improve our security, and we continue to collaborate with our peers in the post-secondary sector to identify and implement best practices,” said Lee.
Initially responding to the attack, the university notified all students, faculty, and staff of the investigation of the malicious email and the disclosed personal information. The email asked the community to be cautious when receiving unusual email messages.
Later that day, UFV temporarily suspended some functionality of the myUFV web portal and UFV student emails to minimize the risk of further data breaches during the investigation.
Immediately following the attack, UFV contacted a third-party cybersecurity and forensics firm, the Abbotsford police department, external privacy-expert legal counsel, and activated UFV’s Emergency Operations Centre, a team of university personnel who evaluate a crisis, make decisions based on policy, and deploy resources as necessary, Lee said. The Office of the Information and Privacy Commissioner of B.C. was also contacted, and kept updated with the investionation.
“Incident response, as well as privacy breach protocols, existed and were followed,” Lee said. “However, every situation is unique, and this was the first of this nature for UFV. Protocols are being updated to reflect the lessons learned to better prepare for future events.”