Skip to main content
Emerging ThreatsData Breaches

Hackers Breach Mount Royal University, Expose Sensitive Data

Blurred laptop screen on a desk in a university hallway with students walking in the background, conveying a sense of…
“We regret to inform our community that our investigation has now shown that data within certain folders on the University’s ‘H drive’ was accessed and taken by an unauthorized actor,” reads the announcement from Mount Royal University (MRU), describing a June 17 cyberattack that stole and then deleted stored files from the campus network.

What happened on June 17 and which systems were affected

MRU says the incident began on June 17 and disrupted a broad range of university systems. The university reported outages to online services, internet access, and certain internal systems. Technical teams and external cybersecurity experts have been engaged to investigate and to support recovery efforts. MRU cautioned that recovery of affected systems may take between several weeks and months, and it pledged to provide updates as soon as new details become available.

H drive theft, J drive deletion, and the limits of recovery

The university's investigation confirmed that an unauthorized actor accessed and took data from folders on the campus “H drive,” a storage area used by students and employees for file storage; the original copies on that drive were then wiped to disrupt recovery. A separate drive, labeled “J,” which housed departmental data, was also wiped. MRU says there is currently no evidence the J drive data was accessed or copied before deletion, and that a full recovery of J drive data may not be possible.

Because copies were deleted, MRU warned the exposed data varies by person and that determining the exact impact for each individual will be complicated and take time. The university said it will notify impacted individuals directly through personalized notifications once they are identified.

What the attackers claim and the ransom demand

The incident was claimed by a group identified in the announcement as CMD Organization. The threat actor published samples of allegedly stolen material — MRU noted those samples include passport scans and other sensitive documents — and asked for a ransom of 30 BTC, which the university’s source reported as currently around $1.9 million. CMD Organization gave MRU six days to respond before threatening to leak the full set of stolen information.

CMD Organization appears to operate an auction-style model: the group offers to sell stolen data exclusively to the highest bidder, lists 30 organizations on its extortion site, and runs both a clear web and a dark web portal for its activity, according to the report.

Reporting, protections offered, and institutional context

MRU has reported the breach to the Alberta Information and Privacy Commissioner and to law enforcement authorities. As part of its immediate remediation and support measures, the university is offering two years of credit monitoring and identity theft protection to all current employees and to individuals employed in the past five years. MRU described itself in the notice as a public university with more than 100 years of history and said it currently has 11,560 students and 12,500 undergraduates.

How current and former students, employees, and university security teams will respond

  • Current and former students: MRU confirmed that the H drive contained information affecting current and former students; those students will be notified directly if they are identified as impacted and may be eligible for the offered credit monitoring and identity-theft protections.
  • Current and former employees: The university said the H drive contained information affecting current and former employees; MRU’s offer of two years’ credit monitoring and identity theft protection covers all current employees and individuals employed in the past five years.
  • University technical teams and external cybersecurity experts: MRU has engaged internal technical teams and external cybersecurity experts to investigate and recover systems. The university warned recovery could take weeks to months and acknowledged that some departmental (J drive) data recovery may not be possible.

As Mount Royal University proceeds with forensic work, notification, and recovery, the record released so far centers on two concrete facts: data from the H drive was accessed and taken, and copies on campus storage were wiped; a second, departmental store was deleted with no evidence of prior exfiltration. The university has reported the incident to provincial privacy authorities and to law enforcement, has involved outside cybersecurity expertise, and has extended specific protections to affected employees and former employees pending the outcome of its ongoing investigation. MRU has said it will provide updates as new details become available, leaving the exact scope of individual impact — and whether full recovery of deleted departmental data will be possible — as the key questions still to be answered.

Original reporting