The University of Alberta said Thursday it has reached out to more than 3,000 people whose university passwords were potentially at risk after a malware incident in November.
On Nov. 22, malware – a type of malicious software that tries to infect a computer – was detected on 287 U of A computers in the Library Knowledge Commons and in the Centennial Centre for Interdisciplinary Science.
A police investigation found malware on 17 additional computers in labs and classrooms in the Computing Science Centre.
“This particular malware was designed to specifically attempt to harvest the university’s primary ID password. Our primary ID is known as the campus computing ID or CCID,” Gordie Mah, the university’s chief information security officer, said.
“Potentially having control of another’s password, and in this case the CCID (campus computing ID), can lead to disclosure to unauthorized access of personal, perhaps financial, and other information.”
The malware had the potential to steal password information, but police said there was no indication that users’ passwords were used.
“We have had no indication of actual use of compromised information or that an individual has sustained an actual privacy breach,” Mah explained.
On Nov. 23, the university sent an email to 3,304 students and faculty members whose passwords were potentially at risk. They were asked to reset their passwords. On Dec. 8, 19 more people were notified of the potential risk.
The university said it was not able to make the potential security breach public until now because of an ongoing police investigation.
“All individuals potentially affected by the information security incident were advised promptly and in accordance with the university’s procedures and best practices,” the university said in a campus-wide notification.
The university said its Information Services and Technology (IST) unit developed controls against the malware and ensured the school’s computer systems are safe and secure.
Edmonton police said a 19-year-old student is facing several charges in relation to the incident.
Yibin Xu was charged with mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offence. He is scheduled to appear in court on Jan. 10.
Comments