The University of Guelph has begun notifying individuals whose personal information may have been affected by the IT system incident first reported on September 11, 2022.

A thorough investigation has identified individuals whose personal information and/or University email accounts may have been accessed.

The University is contacting those individuals who may have been affected to provide further information and recommendations on next steps.

The University has taken steps to further strengthen the security of its systems and has securely restored all essential IT systems. The University will continue to engage relevant experts and authorities to protect and mitigate against further incidents.

What happened and actions taken by the University

On September 11, 2022, the University first reported an incident impacting multiple IT systems. On October 5, 2022, the investigation revealed that the incident may have resulted in the potential compromise of data on certain University IT systems.

Unauthorized access was limited to certain email accounts and individual files stored on computer workstations in Human Resources, a file share used by the Ontario Veterinary College and a backup server used by OpenEd. Our analysis indicates there was no unauthorized access to major University financial systems or enterprise databases.

The nature of the compromise required a manual review of the potentially compromised data by the University which concluded in March 2023.

Immediately upon discovering the incident, the University took steps to contain any unauthorized access and to secure its systems. This included, a number of precautionary measures, including taking certain systems offline and communicating with our University community about the incident. The University also engaged a team of external experts to assist with containment efforts and to conduct an investigation into the incident.

Together with our partners, the University has taken steps to further strengthen the security of its systems, securely restore all essential IT systems, and to conduct regular security assessments to protect and mitigate against future incidents.

In addition, the University continues to work alongside law enforcement, government and regulatory bodies to address the incident.

The investigation also revealed the potential compromise of some University of Guelph e-mail accounts. U of G immediately acted to secure these accounts.

Protecting our community’s personal information is of the utmost importance. Out of an abundance of caution, credit monitoring protection has been offered where individuals may benefit from these services, based on the nature of their potentially impacted personal information.

Best practices for IT security

The following privacy and IT security best practices can help keep your information safe online:

  • Remain vigilant of phishing and spoofing attempts. A spoofing email is an impersonation tactic used in phishing campaigns to trick individuals into thinking that the email came from a trusted source. For example, the displayed name may say that the email came from John Doe, however, the sender’s email address contains an extra symbol or letter not found in the legitimate business email address.
  • While the University does communicate by email and text, it does not make unsolicited requests for personal information through these channels. If you receive emails or text messages that seem to be from the University asking for account or any other personal information that you were not expecting, consider the email or text to be fraudulent, and contact the IT Help Desk immediately at https://ithelp.uoguelph.ca/it-help. Never share social insurance numbers, banking information or credit card information through email or text.
  • Never respond to any unsolicited requests for your information.
  • Use a complex and unique password for your U of G login credentials. Do not reuse your U of G credentials or a similar version of them on different platforms.
  • Enroll your U of G central login for Multifactor Authentication if you have not already done so. Visit https://www.uoguelph.ca/ccs/multifactor-authentication-mfa to learn more.
  • Change your passwords regularly (approximately every three months) and ensure that you choose a unique password every time.

Additional tips and resources for protecting your identity are available on the IT Help webpage.

The University sincerely regrets any inconvenience this incident may have caused and appreciates our community’s understanding.

Please contact privacyquestions@uoguelph.ca if you have additional questions or concerns.