
Mount Royal University in Calgary says hackers stole and then deleted data from its file storage systems after breaching the university’s network.
In an update published on its website, MRU states that it has engaged technical teams and external cybersecurity experts to investigate the incident and to support recovery efforts following a cyberattack on June 17.
The incident disrupted a broad range of university systems, including online services, internet access, and certain internal systems.
MRU is a public university with a history of more than 100 years. It currently has 11,560 students and 12,500 undergraduates.
So far, the investigation confirmed that the attacker stole data stored on a drive used by students and employees for file storage, and the original copies were wiped to disrupt recovery operations.
“We regret to inform our community that our investigation has now shown that data within certain folders on the University’s “H drive” was accessed and taken by an unauthorized actor,” reads the announcement.
The university specified that the incident affected certain folders on the H drive, which contained information affecting current and former students, current and former employees of the university, and an unspecified category of “other individuals.”
Additionally, the attackers also wiped a separate drive, labeled “J,” which stored departmental data. “There is currently no evidence that J drive data was accessed or copied before it was deleted,” MRU says.
“We are still working to recover deleted J drive data, but a full recovery may not be possible.”
The university stated that the incident has been reported to the Alberta Information and Privacy Commissioner and to law enforcement authorities.
The university states that the exposed data varies by person, and because it has been deleted, determining the exact impact for each individual is complicated and will take time.
Once impacted individuals are identified, they will be contacted directly via personalized notifications.
CMD Organization claims the attack
The MRU attack was claimed by the threat group CMD Organization, which has published samples of the allegedly stolen data, including passport scans and other sensitive documents.
The threat actor asked for a 30 BTC ransom, currently around $1.9 million, and gave the university six days to respond before leaking the full set of stolen information.

Source: BleepingComputer
CMD Organization appears to use an auction-style system, offering to sell the stolen data exclusively to the highest bidder. The threat group currently lists 30 organizations on its extortion site and operates both a clear web and a dark web portal.
MRU said that the recovery of the affected systems may take between several weeks and months and will provide updates as soon as new details become available.
The university is also offering two years of credit monitoring and identity theft protection to all current employees and individuals employed in the past five years.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.


