Students and digital security experts say York University must release more information about what the school calls an “extremely serious” cyber attack last week.
York says the Friday evening attack corrupted a number of its servers and workstations, though it has not yet said if any sensitive information was stolen.
In a statement, York said its IT department quickly severed the school’s internet connection and shut down many of its online programs after the attack began, a move that mitigated the scope and severity of the breach.
As of Monday afternoon, some of those programs remained offline, including portals where students can access OSAP applications, tuition fees and final grades from the winter semester.
York has advised that everyone at the university will need to reset their passwords as a result of the attack.
But the York Federation of Students (YFS) has voiced concerns over what it says is a lack of communication following the hack. The student union says the university did not directly inform students about the situation, relying instead on statements posted to its website and social media.
“There haven’t been many consistent updates, which is concerning,” said YFS president Fatima Babiker in an email to CBC Toronto.
“We are looking to our university’s higher administration to deal with this urgent situation at hand as soon as possible.”
York says it is now investigating the attack with the assistance of external forensics experts.
“As you can imagine, the investigation is complex, is still ongoing and will likely take some days to complete,” said chief information officer Donald Ipperciel in a statement.
“It is already very evident that UIT’s quick response significantly reduced the potential damage this cyber attack would have caused, if not detected and dealt with so quickly,” the statement continued.
Ipperciel said his team is now working to restore York’s online systems “as quickly as possible” but did not provide a timeline for when that will occur.
Attacker ‘looking to do some damage’
While York has not provided detailed information about the type of attack it suffered, security analyst Claudiu Popa said the language used by the university suggests students and faculty should be concerned.
“We can surmise that anything that spreads on servers and workstations is likely to not just be something that replicates quickly but is something that is looking to do some damage,” said Popa, a cyber security expert at Informatica security.
He also questioned the university’s public response following the attack, expressing surprise that York did not release information that might help students and faculty protect themselves if their personal information was compromised.
“Educational institutions, especially at this level, they hold a lot of student data, not just for current students, but for all the students that have passed through their doors,” Popa said.
He added the release of further details might also help other universities and colleges protect themselves, since attacks on particular types of organizations often come in waves.
“Cyber criminals develop their skills as specific to particular sectors and then they apply them to as many organizations as possible,” Popa said.
“It would be helpful for them to know what to pay attention to.”