What Happened
Mount Royal University (MRU) in Calgary, Alberta, confirmed a ransomware attack first detected on June 17, 2026. The threat group CMD Organization breached the university’s network, exfiltrated 10 terabytes of data from file storage systems used by students and employees, and then deleted the originals — a destructive tactic designed to eliminate recovery options and maximize pressure on the victim.
CMD published samples of the stolen data, including passport scans, to a ransomware extortion site, and demanded a $1.9 million ransom. The university confirmed the compromise of student and employee data in a public notice, and is offering two years of credit monitoring and identity theft protection to all current employees and those employed in the past five years. MRU is working with external forensics specialists and law enforcement, including the RCMP, as the investigation continues.
The incident was first reported by threat intelligence sources on July 7, 2026, and confirmed by MRU on July 8. Full disclosure of the scope of affected individuals is still pending. According to reporting by BleepingComputer and confirmed by SecurityWeek, the university is still assessing the full extent of the data exposure.
Why This Matters for Canadian Organizations
Canadian post-secondary institutions have become a high-frequency ransomware target in 2026. MRU joins a growing list of Canadian universities and colleges that have faced network intrusions, data theft, and extortion demands this year. The deliberate deletion of source files alongside exfiltration — a “double-wipe” tactic — removes the institution’s ability to restore from internal backups, making the ransom demand the path of least resistance for unprepared organizations.
Under PIPEDA, MRU has an obligation to report the breach to the Office of the Privacy Commissioner of Canada and notify affected individuals where a real risk of significant harm exists. Exposure of passport numbers alongside employment and student records clears that threshold. Alberta’s Health Information Act and the Freedom of Information and Protection of Privacy Act (FOIPP) add provincial obligations depending on the nature of data held.
The breach also raises supply chain risk questions. Universities are repositories of government-funded research, sensitive personnel data tied to federal grant holders, and information on international students — all categories of interest to foreign intelligence operations. CMD Organization’s profile suggests financially motivated cybercrime, but the data stolen is sensitive enough to be of secondary value to other actors.
What to Do
Canadian post-secondary institutions should treat this incident as a direct signal to audit their current posture:
Verify that file storage systems are backed up to offline or air-gapped targets that ransomware actors cannot reach from the network. A 3-2-1 backup strategy — three copies, two media types, one off-site — is the baseline. Confirm ransomware scenarios are explicitly included in tabletop exercises and incident response plans. Review identity and access management controls for student and employee file storage: scope access strictly by role and department to limit the blast radius of any single compromised account. Engage your institution’s legal counsel now on PIPEDA breach notification timelines — the clock starts when a breach is confirmed, not when the full scope is known. Check whether your institution carries cyber insurance and confirm the policy covers ransomware extortion and notification costs.
For institutions running similar file storage infrastructure, review whether CMD Organization’s known indicators of compromise have touched your environment, and share threat intelligence through established post-secondary sector ISACs and the Canadian Centre for Cyber Security’s reporting portal.






