By Amedeo De Pretto
Graphic by Trevor Swann
Carleton University’s network fell victim to a ransomware attack on Nov. 29, with the hackers behind the incident asking for bitcoins in return for data. The hackers demanded two bitcoin, roughly $2,000, in exchange for re-access to data on infected computers.
Ransomware attacks typically originate when a virus is installed on a computer. The virus then encrypts data and demands a ransom in order to decrypt it.
The anonymous nature of bitcoin as a currency means the attackers are seldom found, even after the ransom is paid. Bitcoin’s website states that transactions using the currency do not contain customers’ personal information, and “no individual or organization can control or manipulate the bitcoin protocol because it is cryptographically secure.”
Carleton released a statement saying that despite the hack, no personal information had been accessed.
Robert Biddle, a Carleton professor of computer-human interaction, said ransomware can sometimes be just the tip of the iceberg in a larger issue.
“[The malicious software] may be doing other things in your machine or network that you don’t know about, and these things tend to propagate once they’re on a network,” Biddle said.
Carleton is not the first university to fall victim to such an attack. In May, the University of Calgary (U of C) was victim to a ransomware attack that affected more than 100 of their computers.
Unlike the incident at Carleton, the university was unable to recover the data and ended up paying $20,000 to obtain the encryption keys.
In an interview with CBC’s Calgary Eyeopener radio broadcast, John Aycock, an associate computer science professor at the U of C, said the school paid the ransom money to the hacker because it was the most cost-effective option. An hour of the 1,800 academic staff’s time spent unable to access data, assuming they were paid minimum wage, would exceed the ransom amount.
“Even if you say you’ve saved an hour of everyone’s time, you’re already ahead of the game in the big picture. You could argue that the university got a bargain [with the ransom],” Aycock said.
Meeting the ransom can be a risky venture due to the criminal nature of the attack. Hackers may accept the payment and return access to the data, as was the case for U of C. But in other cases the hackers will demand more money, even after the original ransom has been met.
The Kansas Heart Hospital in the U.S. also experienced a ransomware attack in May 2016. The hospital paid an undisclosed ransom to the hackers, but only received partial access to their data after paying. The hackers then demanded a second payment for the rest of the data, according to multiple news outlets.
Biddle said regular data backups can help prevent ransom demands from being a threat.
“If you have the data stored elsewhere, where it isn’t affected, then you should be in a reasonable position to wipe that machine and recreate it,” Biddle said.
But the recent hacking incidents at both U of C and Carleton may not be a complete image of the threat hacks pose to universities across the country.
Currently, Alberta is the only province with mandatory data breach reporting requirements, as set out under the province’s Personal Information Protection Act (PIPA).
The rest of the country is poised to follow soon, with the Digital Privacy Act, or Bill S-4, having received Royal Assent. It is scheduled to be introduced once the government passes regulations specifying the bill’s requirements, according to the Government of Canada’s website.
Under the bill, private sector organizations will have to notify individuals of any data breach that poses “a real risk of significant harm,” and report the incident to the Privacy Commissioner.
But currently, universities in every province outside Alberta are legally allowed to keep security breaches private, with no responsibility to report incidents.
Organizations, particularly universities, can be reluctant in disclosing details of a security breach as it can reveal valuable data, such as breakthrough research, that can incite further attacks.
A Toronto Star article from 2013 reported IT specialists from some schools, including McMaster University and McGill University, refused to speak to reporters about cyber security issues over the course of several months.
When the schools did respond to the Star’s interview requests, they did not disclose what types of research had been targeted by hackers, or if the hackers were successful.
In large-scale networks, such as those in universities and other research institutions, keeping track of data and making regular backups is easier said than done, according to Biddle.
“In a very complicated IT system, it’s very easy for things to get messy,” Biddle said.