Here is the complete article in the specified format.
title: "Mount Royal University: June Ransomware Attack and Data Theft" date: 2026-07-08 slug: mount-royal-university-ransomware
Mount Royal University: June Ransomware Attack and Data Theft
Mount Royal University (MRU) in Calgary confirmed on Tuesday that student and staff data was stolen during a ransomware attack that struck the institution on June 17. An unauthorized actor accessed and exfiltrated data from folders on the university's shared "H drive," then deleted that data to impede recovery. A second network share, the "J drive," was also wiped, though the university says no data was copied from it. The Alberta Information and Privacy Commissioner's office has been notified and police are investigating, with no arrests reported.
What Happened
MRU officials disclosed that two separate targets were compromised in the June 17 incident. The first was the university's "H drive," a shared storage volume used to support students' academic work and employees' day-to-day tasks. According to the university, "data within certain folders on the University's 'H drive' was accessed and taken by an unauthorized actor," after which "the actor then deleted our H drive data to impede our recovery."
The second target was the "J drive," which held departmental data. That drive was deleted by the attacker, but MRU states no data was accessed or copied from it. The university is still attempting to restore the deleted J drive data and cautioned that "a full recovery may not be possible." Analysis of the overall impact and the recoverability of lost data could take weeks or months.
In the immediate aftermath, operational systems took a visible hit. A faculty member reported that course scheduling, fall registration, and the payroll system were among the most affected functions in the week following the attack, and that MRU-issued laptops were recalled for servicing as part of the response. As of the university's Tuesday update, the summer semester is proceeding on schedule and some fall semester deadlines have been adjusted.
What Was Taken
The stolen data resided in a subset of folders on the H drive. Because that drive was used as personal and working storage, the sensitivity of the exposed information varies by individual: "depending on what individuals chose to store in the folder it may contain personal information." MRU emphasized that only some folders were accessed rather than the entire volume.
The affected population spans current and former students and staff. The university said it will begin contacting impacted individuals within the following week. As a precaution, all current employees and anyone employed within the past five years will be provided with two years of credit monitoring and identity theft protection services, an indication that the university considers employee personally identifiable information to be within the potential exposure set.
Why It Matters
This incident reflects a now-standard double extortion playbook: attackers not only exfiltrate data for leverage but also destroy the victim's copies to maximize operational pressure and complicate recovery. The deletion of both the H and J drives means MRU faces two simultaneous crises, a data breach requiring notification and a data-loss event that may be permanent if backups are incomplete.
Post-secondary institutions are attractive and repeatedly targeted victims. They hold large volumes of personal data on transient populations, operate flat and highly interconnected networks, and often rely on shared drives with broad access permissions, exactly the kind of environment where a single foothold can reach data belonging to thousands. The reliance on user-controlled network shares like the H drive also creates unpredictable exposure, since the sensitivity of what is lost depends entirely on individual storage habits rather than centralized data governance.
The event fits a broader pattern of ransomware pressure on Canadian universities. In 2016, the University of Calgary paid roughly $20,000 to attackers in an attempt to restore critical systems, a reminder that these institutions have historically been willing to negotiate under duress.
The Attack Technique
MRU has not publicly disclosed the initial access vector, the ransomware family involved, or the identity of the threat actor. The confirmed behaviors, however, are consistent with a modern ransomware operation: gaining unauthorized access to file shares, exfiltrating targeted folders, and then deleting the source data to hinder restoration and strengthen extortion leverage.
The recall of MRU-issued laptops for servicing suggests concern about endpoint compromise or the need to remediate potentially affected devices at scale. The disruption to payroll, registration, and scheduling systems is typical of attacks that reach shared infrastructure and directory-dependent services. Until the university or investigators release further detail, the specific intrusion path, whether phishing, exposed remote access, or credential abuse, remains unconfirmed.
What Organizations Should Do
- Enforce least-privilege access on shared drives. Broad, legacy permissions on volumes like an "H drive" or "J drive" let a single compromised account reach far more data than necessary. Audit and tighten share-level and folder-level access.
- Maintain immutable, offline backups. The attacker's deletion of both drives shows why recovery hinges on backups that cannot be altered or destroyed by an intruder. Test restoration regularly and verify that a "full recovery" is actually achievable.
- Deploy and monitor EDR across all endpoints. Endpoint detection and response can surface lateral movement and mass file access or deletion before exfiltration completes, and would inform decisions like recalling potentially compromised devices.
- Require phishing-resistant MFA on all accounts. Multi-factor authentication, ideally hardware-backed, blunts the credential-based access that commonly precedes network share compromise.
- Segment networks to contain blast radius. Isolate departmental and administrative systems (payroll, registration, scheduling) from general file storage so a single intrusion cannot cascade across critical operations.
- Prepare a breach notification and monitoring plan in advance. MRU's rapid offer of credit monitoring and its notification to the privacy commissioner reflect obligations every institution should have rehearsed before an incident, not improvised during one.
Sources: MRU student, staff data stolen in ransomware cyberattack | Calgary Herald