Mount Royal University (MRU) in Calgary, Alberta has confirmed it suffered a cyberattack in which hackers gained unauthorized access to its network, exfiltrated data from file storage systems, and then deleted the stolen content from university servers — a destructive tactic increasingly used to pressure institutions into paying ransoms.
What Happened
The university disclosed the breach following claims from a hacking group asserting responsibility for the attack. MRU confirmed that data was taken from file storage systems, though the exact scope — including the types of data and number of individuals affected — was not immediately disclosed.
The attacker's playbook of stealing then deleting data mirrors tactics used by groups like Cl0p and others who leverage dual extortion: steal, delete originals, and demand payment to prevent public release.
Impact and Response
Mount Royal University has notified relevant authorities and is working with cybersecurity experts to investigate the full extent of the breach. The university has not confirmed whether personal information of students, faculty, or staff was among the stolen data.
Key concerns for affected individuals include:
- Stolen academic records — grades, enrollment data, and research material
- Personal identifiable information (PII) — contact details, student IDs, and financial aid data
- Institutional research — depending on what was stored in the compromised file shares
MRU has stated it is taking steps to secure its systems and prevent further unauthorized access.
The Growing Threat to Canadian Post-Secondary Institutions
Canadian universities have become frequent targets for cybercriminals. The combination of large stores of personal data, research intellectual property, and often underfunded IT security teams makes them attractive targets.
In recent years, similar attacks have hit institutions across North America, with groups exploiting:
- Unpatched VPN and remote access vulnerabilities
- Weak multi-factor authentication enforcement
- Over-permissioned file share access
What Affected Individuals Should Do
If you are a student, faculty member, or staff at Mount Royal University:
- Monitor your accounts for unusual activity, especially email and financial accounts
- Watch for phishing attempts — attackers often use stolen email lists for follow-up campaigns
- Consider a credit freeze if financial or government ID data may have been involved
- Check MRU's official communications for updates on what data was taken and remediation steps
Takeaway
The destroy-after-exfiltration tactic is designed to eliminate backup recovery as an option, maximizing leverage against victims. Until universities invest more heavily in zero-trust architectures, privileged access management, and immutable backups, these attacks will continue to succeed.
MRU joins a growing list of educational institutions learning this lesson the hard way.