Student charged with cyber crimes in U of A malware breach

A University of Alberta student facescharges after hundreds of university-owned computers and thousands of passwords were put at risk by malware.

A 19-year-old student has been charged with cyber crimes, includingmischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offence.

"We have not in recent memory sustained an incident of this scale or magnitude," said Gordie Mah, the university's chief information security officer.

"This particular malware was designed to harvest the university primary ID password."

Malware, short for "malicious software,"allowsperpetrators to gain control of a system and potentially steal information.

In total, 304 university computers and potentially 3,323 passwords belonging to students, staff and faculty may have been affected.

The U of Aon Thursday reassured students and staff their computer systems are now secure.

"We have had no indication of actual use of compromised information," Mah said, "or that any individual has actually experienced a privacy breach."

He said anyone potentially affected by the security breachwas told following the incidents.

On Nov. 22, Information Services and Technology detected malware on 287 computers in20 classrooms and labs in the Library Knowledge Commons, Computing Science Centre and in the Centennial Centre for Interdisciplinary Science.

• Malware infection of University of Calgary computers partly fixed
• University of Calgary paid $20K in ransomware attack

The next day, the university notified 3,304students, staff and faculty members whose university passwords may have been atrisk.

A joint police and university investigation discoveredanother 17 university computers affected, which they determined may have compromised 19 people's passwords.

The twoincidentstook place between Nov.17 and Dec. 8, 2016, the Edmonton police Cyber Crimes Investigation Unitconfirmed in a news release Thursday.

Mah said reports ofmalfunctioninglab computersalerted the university tothe problem.

"It was a couple of days from the potential time of initial deploymentto the time of discovery."

The university said it waited until Jan. 5 to share the information with the entire campus because the police were investigating.

A system wide password reset was ordered following the investigation.

The university continues to monitor the computersystems and has advised Alberta's Information and Privacy Commissioner about the incident.

Mah said students can help protect their privacyby monitoring their own computers.

"An adequately strong password, ensuring that you don't use the same password across multiple accounts, especially if they are valued accounts. And being aware, be cognizant not to click on any links or attachments from suspicious emails."