Student charged with cyber crimes in U of A malware breach

A University of Alberta student faces charges after hundreds of university-owned computers and thousands of passwords were put at risk by malware.

A 19-year-old student has been charged with cyber crimes, including mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offence.

"We have not in recent memory sustained an incident of this scale or magnitude," said Gordie Mah, the university's chief information security officer.

"This particular malware was designed to harvest the university primary ID password."

Malware, short for "malicious software," allows perpetrators to gain control of a system and potentially steal information.

In total, 304 university computers and potentially 3,323 passwords belonging to students, staff and faculty may have been affected.

The U of A on Thursday reassured students and staff their computer systems are now secure. 

"We have had no indication of actual use of compromised information," Mah said, "or that any individual has actually experienced a privacy breach."

He said anyone potentially affected by the security breach was told following the incidents.

On Nov. 22, Information Services and Technology detected malware on 287 computers in 20 classrooms and labs in the Library Knowledge Commons, Computing Science Centre and in the Centennial Centre for Interdisciplinary Science.

• Malware infection of University of Calgary computers partly fixed
• University of Calgary paid $20K in ransomware attack

The next day, the university notified 3,304 students, staff and faculty members whose university passwords may have been at risk.

A joint police and university investigation discovered another 17 university computers affected, which they determined may have compromised 19 people's passwords.

The two incidents took place between Nov.17 and Dec. 8, 2016, the Edmonton police Cyber Crimes Investigation Unit confirmed in a news release Thursday.

Mah said reports of malfunctioning lab computers alerted the university to the problem.

"It was a couple of days from the potential time of initial deployment to the time of discovery."

The university said it waited until Jan. 5 to share the information with the entire campus because the police were investigating.  

A system wide password reset was ordered following the investigation.

The university continues to monitor the computer systems and has advised Alberta's Information and Privacy Commissioner about the incident.

Mah said students can help protect their privacy by monitoring their own computers.

"An adequately strong password, ensuring that you don't use the same password across multiple accounts, especially if they are valued accounts. And being aware, be cognizant not to click on any links or attachments from suspicious emails."