Phishing scam leads to suspension of online access for hundreds of staff accounts
Algonquin was hit with yet another cyber attack on Tuesday, Jan. 29, when hundreds of employees opened a sophisticated phishing email that looked as if President Cheryl Jensen sent it.
The phishing attack entered inboxes as a survey, and asked employees to fill out the information required. The employees who participated in the survey were asked to provide their user ID and password, which in some cases attempted to download files to their computers.
Chris Lackner, communications officer, said in a press release on Feb. 4, that ITS immediately limited access to systems and the following morning, Jan. 30, forced all employees to reset their passwords. To take more cautionary steps, Algonquin reset some more employees’ passwords Thursday, Jan. 31.
Any employee that engaged with the phishing scam has been notified to let the ITS Service Desk know.
With this most recent attack, Jensen told staff in an email sent out on Feb. 7, the college had to make difficult decisions to restrict college activities with efforts focusing on safeguarding employees’ information.
These general restrictions affected employee access to Workday, a financial management system. However, it allowed the college to proceed with payroll after the ITS and payroll team detected no suspicious activity with the payroll process.
On Feb. 8, Doug Wotherspoon, vice president of innovation and strategy, released an email to faculty stating that there is a current estimate of 250 to 300 people who clicked on the link. Most of the individuals used a college computer so the anti-malware software blocked whatever malware was attached.
Algonquin has found and contacted 43 individuals who had higher risk circumstances; no irregularities have been reported from those contacted.
“Our investigation has led us to conclude that, in a number of cases, the compromise may have originated via personal computers, some of which did not have adequate anti-malware protection,” explained Wotherspoon in the email.
Jensen said in her email, that the college can only provide information to employees when it is safe to release and that Algonquin is constantly reinforcing and adding security to the systems.
Jensen explained in a previous interview with the Times, about the inadvertent sharing through Workday, that after a May 16 hack, Algonquin implemented four new protocols to help fight against data breaches. They include automatic patch and security updates so the school can be notified about these updates, advanced server protection to protect servers from hacks, cross-college anti-virus software reviews to make sure everyone has the most up-to-date and enhanced solutions and additional server security scannings.
Jensen believed these new protocols would work and in the previous interview about Workday she reassured her belief in it.
“Yep, I do,” said Jensen. “This is something we are diligent about, and as I mentioned we have resources that pay attention to this.”
With these four new protocols in place, however, how was this most recent phishing scam allowed to happen, and so soon after the previous one?
Wotherspoon explained that the school has the four protocols in place to continue to help and keep the college safe however, phishing scams are getting more sophisticated everyday.
“Phishing is an ongoing and continuously evolving thing and I don’t know if we are ever going to make ourselves phish proof,” said Wotherspoon.
Much like banks and other institutions, Wotherspoon explained that the college will never ask for usernames or passwords. He said that all staff have to remain vigilant around phishing, especially when emails or notifications are asking for sensitive information.
“Everyone has a roll to play in safety and security of our systems,” said Wotherspoon.
Algonquin continues to improve security measures and improve “hunting” for these types of things, Wotherspoon compared the constant battle for cyber security to a marathon.
The college could be targeted because it is an institution rich with information as people are in constant search of information.
“People are always testing for vulnerabilities,” said Wotherspoon.
Algonquin reported this scam for personal information to the Ontario Privacy Commission because of the breach of information that happened. The college does this whenever hacks happen at the school and is reported in the annual Algonquin reports.
Jensen claims that Algonquin pays “very close” attention to data breaches and that they have resources dedicated for cyber security. Despite this most recent phishing scam and the May 16 hack, Wotherspoon still believes that the school is doing a good job at cyber security.
“Yes, I think we are doing a good job,” said Wotherpsoon. “I don’t know that any organization can ever say that they are a 100 per cent full proof and I would not suggest that we are but, I think we have resources and the tech that does in fact allow us to deal with these issues quickly.”
The Times has reached out by email and phone to faculty members to learn the affects the phishing attack had on them, their computers and regular functions for day to day use. None have replied.
ITS will be conducing an ongoing investigation, which could result in disruptions to some systems at Algonquin. The college is remaining careful as it analyzes more potential impacts.
“I urge everybody to again, recognize that we will never ask individuals via email for usernames and passwords,” said Wotherspoon.