Mount Royal University ransomware attack compromises H drive data, prompts credit monitoring for staff and students
Mount Royal University ransomware attack exposed and deleted campus data; H drive folders were stolen while J drive files were deleted, officials say.
Mount Royal University confirmed that a ransomware attack on June 17 compromised data on parts of its H drive and resulted in the deletion of files on its J drive. The university said the incident affected current and former students and employees, and it has begun notifying those whose information appears to have been accessed. MRU described the perpetrators as extortionists who typically encrypt and demand payment to restore or return stolen information.
Ransomware hits Mount Royal University
Mount Royal University reported the cyberattack in late June after discovering unauthorized access to internal storage systems. The university identified the incident as ransomware and confirmed the attack occurred on June 17. Officials said the actor accessed certain folders on the H drive and then removed the content to undermine recovery efforts.
University leaders notified the campus community and launched an internal investigation with the assistance of law enforcement. The Alberta Information and Privacy Commissioner’s office has been informed and police are participating in the probe, though no arrests have been announced to date. MRU cautioned that assessing the full scale of impact and recoverability may require weeks or months.
Scope of data accessed and deleted
MRU said only some folders on the H drive were accessed and taken, and that the J drive — which holds departmental and administrative files — was deleted but not copied. The university stressed that the H drive is used by students and staff to support academic work and employment tasks, and that content varies based on what individuals chose to store there. As a result, personal information may be among the files taken.
Officials are conducting forensic analysis to determine which specific records were involved and will directly notify individuals whose data was confirmed to have been accessed. MRU warned that recovery of deleted J drive data is uncertain and that efforts to restore lost files are ongoing.
Operational impacts on campus systems
Faculty and staff reported disruptions to key administrative systems in the days following the attack. An instructor who spoke about the fallout said course scheduling, fall registration and some payroll functions were among the most affected services, although payroll payments had been processed. The university also recalled MRU-issued laptops for servicing as part of containment and remediation activities.
Despite the breach, MRU said the summer semester continues largely as scheduled, but officials have adjusted several fall deadlines to accommodate recovery work. Students and staff have been advised to monitor communications from the university for updated timelines and instructions.
Support measures for affected individuals
As a precaution, Mount Royal University is offering two years of credit monitoring and identity theft protection to all current employees and anyone employed by the university within the past five years. The university framed the offer as a protective step while investigations and recovery efforts proceed. Notices to impacted individuals are expected to be sent within the coming week.
MRU emphasized that the support measure is intended to help mitigate potential downstream risks associated with exposed personal information. The university also encouraged community members to remain vigilant for phishing emails, unusual account activity and other signs of possible fraud.
Investigation and recovery strategy
University IT teams, external cybersecurity specialists and law enforcement are working to contain the attack, recover data where possible and strengthen systems against further compromise. MRU reported that the actor attempted to impede recovery by deleting files after exfiltration, complicating restoration efforts. Officials cautioned that full restoration of affected drives may not be achievable.
The forensic process will focus on identifying what was taken, tracing how the actor gained access and implementing measures to harden the university’s network. MRU said timelines for assessments and recovery vary and that some analyses could take months to complete.
Ransomware trends in post-secondary institutions
Ransomware has increasingly targeted post-secondary institutions in recent years, prompting sector-wide concern about research preservation, student privacy and administrative continuity. Canadian universities and colleges have publicly reported incidents that disrupted operations and, in some cases, led to payments or protracted recovery efforts. MRU’s incident adds to a series of attacks against educational institutions that security experts warn will likely continue without robust protections.
The university cited past regional cases when explaining the severity and potential consequences of the attack, and confirmed it will review policies and technical safeguards as part of its response. Campus stakeholders are awaiting more detailed findings from MRU’s investigation and updates on any affected personal information.
Mount Royal University has pledged to keep the campus community informed as the investigation continues and recovery efforts advance.