University computer systems are safe and secure following a malware incident in November.
At the request of the Edmonton Police Service and out of respect for the ongoing investigation, the university was unable to share this campus-wide notification until today. All individuals potentially affected by the information security incident were advised promptly and in accordance with the university’s procedures and best practices.
The incident involved the installation of malware on 304 university computers in 20 classrooms and labs in the Library Knowledge Commons, Computing Science Centre and in the Centennial Centre for Interdisciplinary Science.
On the evening of Nov. 22, U of A Information Services and Technology (IST) detected the malware on 287 computers and took immediate steps to contain the risk. A forensic analysis was initiated to determine the full scope of the information security incident.
On Nov. 23, the university sent an email notification to 3,304 individuals whose university (CCID) passwords were identified as potentially at risk. These individuals were provided information about how to protect their privacy, including the recommendation to change their CCID password. U of A Protective Services was apprised of the situation, as was EPS, which continues to investigate.
During the EPS investigation, malware was discovered on an additional 17 university computers. The university took immediate steps to contain the exposure, remove the malware and contact 19 individuals potentially affected with advice to change their CCID passwords. As an extra precaution, IST implemented a mandatory CCID password reset for all 3,323 users potentially affected, a process that involves identity verification prior to reactivation.
IST has developed controls against this type of malware and will continue monitoring to ensure university systems remain secure.
The university’s Information and Privacy Office has advised the Office of the Information and Privacy Commissioner of Alberta about this incident.
The swift response to this matter confirms the university employs sophisticated measures to protect the privacy and online security of all members of our community. We must all remain vigilant to reduce risks and exposure to malware or other cyber-attacks.
For more information about information security policies, procedures and best practices, visit the IST Security Site or contact the CISO at CISO@ualberta.ca. Please refer to the below FAQ.
Chief Information Security Officer
University of Alberta
Q: What was the nature of the information security incident?
On the evening of Nov. 22, malware was discovered on 287 university classroom and lab computers in the Library Knowledge Commons and in the Centennial Centre for Interdisciplinary Science. During the course of the EPS investigation, additional malware was found on 17 computers in labs and classrooms in the Computing Science Centre. The malware had the potential to steal password information.
Q: What is malware?
Malware consists of malicious software and computer programs that attempt to conduct illicit actions through the affected computers (such as destroying information, allowing the perpetrator to gain control, or stealing information).
Q: How was this malware installed?
An individual with direct physical access to the classroom and lab computers installed the malware on the affected computers.
Q: How was the malware discovered?
The malware was discovered by the university's Information Services and Technology (IST) unit, which immediately involved the Office of the Chief Information Security Officer.
Q. What systems were affected?
The malware used in both incidents affected approximately 20 university classrooms or labs, consisting of 304 computers.
Q: Which users were at risk?
Those who logged into the affected computers while the affected computers were infected were potentially at risk. University records indicate 3,323 individuals logged into one of the affected computers. Because these are teaching facilities, the individuals affected were primarily students, but some faculty were affected too.
Q. Were those potentially at risk notified?
Immediately after compiling the list of those potentially at risk, an email notification was sent on Nov. 23 to 3,304 informing them of the incident. An additional 19 individuals were emailed on Dec. 8. In both instances, IST and the Chief Information Security Officer advised that CCID passwords should be changed as a precaution. These same users were once again notified on Dec. 19 that their CCID passwords had been reset by IST.
Q: Why didn’t the university notify everyone on campus as soon as the incident was discovered?
At the request of EPS and out of respect for the ongoing investigation, the university was unable to share this campus-wide notification until today. All individuals potentially affected by the information security incident were advised promptly and in accordance with the university’s procedures and best practices.
Q: Why were passwords reset even for individuals who had previously changed their CCIDs?
Best practice calls for a full password expiry, requiring CCID holders to validate their identity before reactivation. The prior self-service reset was not deemed an adequate precaution.
Q: What was done to address the risk?
The university’s computer incident response process was followed to ensure containment of the risk, eradication of the malware and testing to validate the remedy is effective. A forensic analysis was also conducted, which resulted in the deployment of additional security controls.
Q: Are university systems still at risk?
There is no evidence that university systems are still at risk. We continue to monitor our systems to ensure they remain safe and secure. The university takes information security very seriously and continually prepares for cyber security threats and exposures.
Q: What is the status of the investigation?
Shortly after completing our forensic analysis, University of Alberta Protective Services (UAPS) was apprised of the incident and launched its own investigation. UAPS advised the Edmonton Police Service on Nov. 25; EPS continues to investigate.
Q: How do you know the malware was localized to these classrooms and labs?
Part of the computer incident response process ensures the risk is contained. This occurs in part by identifying the malware and associated computer characteristics and thoroughly scanning classroom and lab computers to ensure there is no recurrence or new infections.
Q: Was my personal information compromised?
Those at highest risk of personal information compromise have been notified accordingly, their passwords changed, and they have been advised about best practices to reduce risks from information theft. Otherwise there is no evidence or indication of widespread information compromise.
Q: Is my CCID password at risk? Should I change my CCID?
Those individuals who logged into infected computers have already been notified and their CCID passwords have been changed. If you did not receive such an email, there is no risk to your CCID password and therefore no need to change it.
Q: Was the person responsible caught?
An Edmonton Police Service investigation is ongoing. Because this is a criminal matter, we can provide no further comment.