University of Winnipeg officials say the university is not taking basic steps to protect personal information after student and faculty data was stolen in a cyberattack last month.
The staff member, speaking on condition of anonymity, said that among the “vulnerabilities” in U of W's information technology systems was that classroom computers were not password protected.
“It's amazing that anyone can walk into an open classroom and use the computers in the classroom without having to enter a username or password,” the official said. “The fact that these computers are left open creates an incredible number of vulnerabilities to access university systems and track personal information and credentials entered into those devices in the classroom. Gender is born.”
MIKE DEAL / FREE PRESS A computer connected to the internet in an empty, unlocked classroom at UofW on a Friday afternoon.
The employee expressed concern about the possibility that someone could install a key-tracking program to obtain passwords and faculty login information.
In a request for comment, the university pointed to an updated Frequently Asked Questions section on its website and noted that classroom computers are secure and do not have access to network services such as file storage.
“These are even more secure to prevent any modification or software installation, and are reset with each new session,” the website says.
W University learned on March 24 that it was the victim of a cyberattack. Subsequent investigation revealed that the assailant had infiltrated the network a week before his. Financial and personal data dating back to 2003 was stolen from the university's file servers, affecting thousands of current and former students and staff, the university announced Thursday.
The fact that the intruders remained undetected for about a week suggests that “they weren't forcing their way into the network, they were being allowed to come in,” said founder of Winnipeg's Avenir IT. said Mathieu Manaigre, CEO and CEO.
The most common way to gain access this way is through “social engineering.” This can be by clicking on a link in a phishing email or falling victim to a fraudulent phone call from someone pretending to be an IT professional, Manaigre said. Note common examples.
In response to a question about what the U of W is doing to prevent further cyberattacks, the university said: In due course, we will consider the findings and carefully develop a plan to improve our cybersecurity posture. ”
Students on campus Friday learned their information had been compromised and expressed clear fear about their financial future.
When marketing student Tutu Agboola arrived on campus and tried to access the WiFi network on her mobile phone, she was unable to log on. A generic alert popped up asking me to allow the certificate to join the network.
“Before[this cyberattack]happened, I would have done it without blinking. But I had to go to IT and ask, 'Can I do this?' Agboola said she is concerned and is being especially cautious now that confidence in the university's online system is being shaken.
“I feel that it is difficult to regain trust once it has been betrayed.”
All university systems are currently considered secure.
First-year students Julie and Kathleen declined to provide their last names but said they had changed their bank account information.
Mike Diehl / Free Press UofW student Tutu Agboola.
“I'm actually paranoid, so I check my bank account every day for (unauthorized) transactions,” Julie said.
Agboola said she and other students remain concerned and want to know what action U of W is taking.
“We're changing our passwords and we're hoping for the best, but we don't know what's going to happen,” Agboola said. “I think that's something we need to tell you.”
Even if it's inconvenient, it's a good idea to double-check your online activity with your IT staff, says Manaigre.
“Being paranoid at this point is almost the same as being diligent when it comes to cybersecurity,” he says.
He advised people to report it as soon as possible at home, work or school if they think they may have accidentally clicked on a fraudulent link or entered a password on an illegal site. There is. Don't let shame keep you quiet, he said. “Don't wait,” Manegre said. “That's probably the worst thing you can do. Let people know right away.”
Credit monitoring is now available for affected individuals who are at risk of identity theft, and the university said it is compiling a list of students and faculty whose information it believes has been stolen. The university did not say exactly how the information was stolen. Winnipeg police, the Canadian Cyber Security Center and the Manitoba Ombudsman were notified.
As for how the breach affected other institutions, the University of Manitoba said Friday it would not say whether it had taken any additional steps for security reasons.
katie.may@freepress.mb.ca
