Privacy breach and password change request notice, March 2, 2020get help

This message is being published on behalf of Mark Roman, Chief Information Officer.

I regret to inform you that there has been a breach of privacy affecting personal information at Simon Fraser University (SFU).  The purpose of this notice is to explain what we currently know about this breach, what steps the University is taking, and what steps you can take to protect your personal information, privacy, and identity.

The information below applies to faculty, staff, students, alumni, and retirees who joined the University prior to June 20, 2019. If this includes you, please promptly change your SFU Computing ID password. While it does not appear that any SFU Computing accounts have been compromised, changing your password now will significantly mitigate that risk.

The steps we ask you to take

The immediate steps you should take to protect your personal information, privacy, and identity are:

  • Promptly change your SFU Computing ID password. This should only take you 2 minutes. To change your password, click here.
  • Use your new password when connecting to SFU Wi-Fi and any online applications such as goSFU, myINFO, SFU Mail, and SFU Vault.
  • Monitor personal accounts and memberships of all kinds for any unusual activity over the next several months.

The privacy breach

The privacy breach occurred when SFU’s system was subjected to a ransomware attack that found a weakness in the way the information was handled. This weakness has been discovered and corrected. No SFU systems are currently exposed. The data was exposed on February 27, 2020, the issue was identified and corrected on February 28, 2020.

The personal information exposed and the potential risks

The personal information that was exposed is comprised of the types listed below:

  • SFU Computing ID
  • SFU student/employee ID number
  • First, last and preferred names
  • Birthdate
  • Employee group
  • Mail lists which the SFU Computing ID belongs to
  • Course enrollment
  • External email address
  • Data from web forms 
  • Encrypted passwords were also exposed.

The potential risks and harms connected with the exposure of your personal information are:

  • Identity theft;
  • Additional personal information being discovered by linking the exposed information with other sources of information; and
  • Unsolicited bulk or commercial email.

The steps SFU is taking

SFU is taking immediate steps to control or reduce the potential harm from this breach and to prevent future incidents.  We are:

  • Notifying affected individuals about the data breach;
  • Assisting individuals upon request and as needed to mitigate any harm;
  • Investigating the cause and extent of the data breach and taking further action as appropriate;
  • Evaluating the risks associated with the breach and responding to them as we receive more information;
  • Reviewing and changing as appropriate physical, procedural, and technical security measures;
  • Reviewing and changing as appropriate internal operating policies and procedures; and
  • Reporting this privacy breach to BC's Office of the Information and Privacy Commissioner.

Who to contact for help

If you have questions, want more information, or need further assistance, please contact:

IT Services
Telephone: 778-782-4828
Email: its-help@sfu.ca
In-person: IT Service Centres in the Burnaby (SCP 9300 or WMC2262), Surrey (Room 353) or Vancouver (HC1300) campuses.

Contacting the Office of the Information and Privacy Commissioner for British Columbia

You can consult the website for that Office at https://www.oipc.bc.ca/ for general information about protection of personal privacy.  You have the right to complain to the Commissioner by writing to:

Information and Privacy Commissioner
PO Box 9038, Stn Prov Govt
Victoria, British Columbia V8W 9A4
Tele. 250-387-5629  Fax 250-387-1696
If you submit a complaint, please provide the Commissioner’s office with:

  1. Your name, address and telephone number;
  2. A copy of this letter; and,
  3. The reasons or grounds upon which you are complaining.

We deeply regret this incident, are working diligently to contain the situation and are committed to helping mitigate the potential risks and harm to our faculty, staff, students, alumni, and retirees.

Yours truly,

Mark Roman
Chief Information Officer