Home

Algonquin College cybersecurity attack update

July 16, 2018 – On May 16, Algonquin discovered unauthorized and illegal access by hackers on one server infected with malware.

The College acted immediately to re-establish the security of the server. Forensic experts were brought in to investigate the scope of the attack and the information compromised. The investigation determined that the infected server hosted access to databases which contained personal information.

The detailed forensic investigation currently underway has revealed no direct evidence that any data was actually accessed or taken in the cyberattack.

That analysis also shows that no financial information was exposed in the incident. For example, the data did not contain Social Insurance Number (SIN), banking or credit card information. The affected data also did not include any personal health information.

While there have been no reports of identity theft or other misuse, the College has identified 4,568 individuals – including students and alumni – whose information which may have been exposed was more detailed, including date of birth and home address. Those individuals were alerted via e-mail on Monday, July 16 and will be receiving a letter through Canada Post. Out of an abundance of caution, these individuals are being offered identify theft protection based on the College’s risk-assessment analysis.

An additional 106,931 individuals – including students, alumni, and current and former employees – had non-sensitive information that may have been exposed on the server. This information was assessed as presenting a low risk of misuse if in fact it were accessed. The College is in the process of contacting this second group by letter.

The College has set up a toll-free number for anyone with questions or concerns (1-866-252-2644 during normal business hours). They can also e-mail acadvisory@algonquincollege.com.

The College has implemented a number of additional security measures recommended by an external security consultant.

“We are committed to communicating with and supporting those affected – and addressing any concerns they might have,” said Algonquin College President Cheryl Jensen. “We are also focused on reviewing and improving security measures to help us guard against similar incidents.”

Algonquin has informed the Information and Privacy Commissioner of Ontario and the Ottawa Police Service so that they will be informed and able to assist individuals affected in the unlikely event that some misuse of information occurs.

The College’s website (algonquincollege.com/cyber) on the cyberattack features new FAQs and background information, and will be updated regularly.

The forensic investigation into this incident continues.

FAQ: Hot Topics

How did this affect current and former employees?

Affected staff have had very limited information exposed. This information may have included their name, e-mail address, and phone number. We have had no reports of misuse of this information. If employees have taken a professional development course at Algonquin College, they may have been in this group. Those affected have been notified by letter.

The College is committed to transparency, and has a long standing practice of providing notice where individuals may have been affected by data security incidents. In the spirit of this commitment, employees have been notified even if very limited information has been exposed and may already be publicly-available information.

What if I am having issues registering for identity theft protection?

Out of an abundance of caution, a total of 4,568 individuals whose information was more sensitive – such as home address and date of birth – were contacted and offered identify theft protection based on the College’s risk-assessment analysis. If you are among this group, and are having any issues registering for identity theft protection, please call 1-866-252-2644 during normal business hours.

How did this happen?

On May 16, Algonquin discovered unauthorized and illegal access by hackers on one server infected with malware.

The College acted immediately to re-establish the security of the server. Forensic experts were brought in to investigate the scope of the attack and the information compromised.

What are the key results of the investigation?

A detailed forensic investigation uncovered no direct evidence that any data was actually accessed or taken. It identified 4,568 individuals whose exposed information, if it was in fact accessed, could pose a moderate risk of misuse. They have all been contacted.

How do people know if they are affected?

These 4,568 individuals whose information was more sensitive – such as home address and date of birth – were contacted via email on Monday, July 16. Those affected have been notified by letter. Out of an abundance of caution, these individuals are being offered identify theft protection based on the College’s risk-assessment analysis.

An additional 106,931 individuals were identified who had non-sensitive information accessible through the server, such as name, student number and email address. Those affected have been notified by letter. The College’s risk-assessment analysis concluded that this information presented a low risk of misuse, if in fact it was accessed.

Did hackers take any information?

The detailed forensic investigation currently underway has revealed no direct evidence that any data was actually accessed or taken in the cyberattack. We have no reports of identity theft or other misuse. We are providing notification to individuals because we do know that hackers had potential access to a server that hosted access to their data.

What data was involved?

Access varied with individual accounts. For the most part, the personal information that may have been accessed included basic identifying information such as an individual’s name, student number, and Algonquin College e-mail address. In some cases, the information included a personal email address or a phone number. In some cases, the information included details of which courses the individual registered for at the College.

One database, which included a small portion of the affected individuals, also included more detailed information including home address and date of birth. The 4,568 people in this more compromised group were directly notified on Monday, July 16.

Is the data that was compromised safe now?

The server that was compromised was cleaned, and the data cannot be accessed by any unauthorized parties.

Have you had reports of identity theft?

No. We have no reports of identity theft or other misuse.

Was any financial information available for access?

No financial information was exposed in this incident. For example, the data did not contain any Social Insurance Number (SIN), banking or credit card information. The data also did not include any personal health information.

Where can I get more information?

Key questions are being updated regularly on these FAQ pages. The College has also set up a toll-free number for anyone with questions or concerns (1-866-252-2644 during normal business hours). You can also email acadvisory@algonquincollege.com/