Mount Royal University Confirms Data Breach After Hackers Claim Attack and Demand $1.9 Million
Mount Royal University has confirmed a cyberattack where hackers stole and deleted sensitive data from its file storage systems, with a group named CMD Organization claiming responsibility and demanding a $1.9 million ransom.

Mount Royal University (MRU) in Calgary has confirmed a significant data breach that occurred on June 17, involving unauthorized access to its network, subsequent data theft, and deliberate deletion of original files. The university is currently engaged in an extensive investigation with the assistance of external cybersecurity experts to assess the full scope of the incident and to facilitate system recovery efforts.
The cyberattack caused widespread disruption to various university services, including online platforms, internet connectivity, and internal systems, impacting its community of over 11,500 students and 12,500 undergraduates. The investigation has confirmed that attackers accessed and exfiltrated data from the "H drive," a file storage system used by students and employees. In a malicious act aimed at hindering recovery, the threat actors also wiped a separate departmental data drive, labeled "J," though MRU notes there is no current evidence that this data was copied before deletion. Full recovery of the "J drive" data may not be possible.
The university has reported the incident to the Alberta Information and Privacy Commissioner and relevant law enforcement agencies. Due to the deletion of original data, determining the precise impact on each affected individual is a complex and time-consuming process. MRU has stated that impacted individuals, including current and former students and employees, will be notified directly once identified. The exact nature of the exposed data varies by person.
The threat group CMD Organization has claimed responsibility for the attack, publishing samples of allegedly stolen data that include passport scans and other sensitive documents. The group has issued a ransom demand of 30 Bitcoin, equivalent to approximately $1.9 million USD, setting a six-day deadline for payment before threatening to leak the complete dataset. CMD Organization operates an auction-style system on its extortion site, offering exclusive sales of stolen data to the highest bidder, and currently lists numerous other organizations as victims.
MRU anticipates that the recovery of affected systems could take several weeks to months. The university is committed to providing regular updates as new information becomes available. As a measure to mitigate potential harm, MRU is offering two years of complimentary credit monitoring and identity theft protection services to all current employees and those employed within the last five years.
This incident highlights the persistent threat posed by ransomware groups targeting educational institutions, which often hold vast amounts of sensitive personal data. The tactic of stealing data and then deleting original backups is a common extortion strategy designed to maximize pressure on victims to pay ransoms, as it complicates recovery and increases the likelihood of data leakage.
The university's response, including engaging cybersecurity experts, reporting to authorities, and offering identity protection services, aligns with best practices for managing such breaches. However, the extended recovery timeline and the potential for permanent data loss underscore the significant challenges faced by organizations in the aftermath of sophisticated cyberattacks.