Malware put more than 3,000 University of Alberta faculty, staff and students at risk late last year, but because of a police probe resulting in charges against a student, the breach wasn’t shared campus-wide until Thursday.
The case involved the installation of malware on 300 computers in 20 classrooms and labs in the Library Knowledge Commons, Computing Science Centre and in the Centennial Centre for Interdisciplinary Science, Gordie Mah, the university’s chief information security officer, told a news conference Thursday at the U of A.
The malware was designed to harvest the university’s primary identification password, known as the campus computing ID.
“That’s the gateway to the university’s email service, for example,” Mah said, adding it could lead to the disclosure of unauthorized personal or financial information.
“This particular malware requires the individual to be physically present at the machine,” he said. “That’s the only barrier to how much further it could have spread.”
Mah noted there hasn’t been a data breach of this scale at the university in recent memory. He recommended people change their passwords often and avoid opening attachments or links from suspicious emails.
The U of A’s information services and technology unit detected the malware Nov. 22, he said.
A day later, the university notified 3,304 people their passwords were potentially at risk. Another 19 people were later found to have been potentially affected. The university implemented a mandatory password reset for the users at risk.
A U of A student faces multiple cyber-attack-related charges, said Edmonton police.
Acting Sgt. Phil Hawkins with the cyber crimes investigation unit said two malware attacks took place between Nov. 17 and Dec. 8. In the first incident, the university’s response team located the malware on 287 computers, which potentially affected more than 3,300 faculty, staff and students. In the second incident, the malware was found on 17 computers and affected 19 students.
Yibin Xu, 19, is charged with mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offense. Xu’s next court appearance is scheduled for Jan. 10.
Malware consists of malicious software and computer programs that attempt to conduct illicit actions through the affected computers, such as destroying information, allowing the perpetrator to gain control or stealing information.