Written by: Jaymee Salisi, News Writer

On February 3, 2021, there was an eight-minute data breach from an SFU server. IT services discovered the attack two days later and blocked external access to the server immediately.

Faculty, staff, and students were informed on February 16. They were assured that banking details, social insurance numbers, and passwords were not exposed during the breach. Exposed information that could be personally identifiable consisted of student/employee numbers and academic standing data.

Data elements such as date of birth may have been exposed, and a quarter of the information exposed had name identifiers. This poses a “low probability of being exploited,” Chief Information Officer Mark Roman told The Peak in an interview. “It looks like all they wanted to do was really get money from a ransom attack,” rather than to exploit data. Individuals whose data had been exposed were advised to monitor their personal accounts for unusual activity.

The breached server was undergoing system security improvements at the time of its exposure, said Roman. However, most of the breached information was unclear to external attackers through encryption and was located on a local server that did not permit access to further information. Roman added that SFU’s online security is constructed in a way that does not allow external users to infiltrate multiple servers.

Moving forward, Roman explained that IT services will be implementing multi-factor authentication — a system that verifies a user’s identity by presenting two or more pieces of evidence during the log-in process. Faculty and staff will be required to use this authentication method by May 2021 followed by all students in the fall. 

SFU’s Virtual Private Network (VPN) is also recommended for faculty and staff to use to secure private access to the university’s data when working remotely. This service ensures safety for users while connected to unsecured networks.

Ideally, SFU would have preferred to notify people immediately upon discovery of the data breach, said Roman. However, the wide variety of information on SFU’s servers made the process “way more complicated.” 

Roman emphasized that up to 30 people on the university’s IT team spent 10 days trying to decipher data elements that were personally identifiable and who to notify. 

Individuals may log into the university’s cybersecurity site using an SFU computing ID or contact IT services at its-help@sfu.ca to check if their information was exposed in the data breach.