two years later, uwindsor remains mum on whether ransom paid to cyberattackers
after months of failed mediation attempts with a provin...
7 minute read
we apologize, but this video has failed to load.
try refreshing your browser, or
tap here to see other videos from our team.
tap here to see other videos from our team.
more than two years after a crippling cyberattack, the university of windsor still refuses to confirm whether it paid a ransom to regain control of its hijacked systems. during a yearlong freedom of information battle with the windsor star, the university tried to charge nearly $9,000 for documents related to the june 2022 cyberattack, while refusing to answer some basic questions of public interest.
was there a ransom demand? how much was the ransom? did the university of windsor pay it?
the consensus in law enforcement is that institutions under cyberattack should not bend to ransom demands, which raises another question.
why won’t the university of windsor reveal if it paid off the criminals?
“these are matters of public interest,” said james l. turk, director of the centre for free expression at toronto metropolitan university. “it’s certainly an appropriate question to ask. did they pay a ransom or not?
“all of us would assume, i imagine, that their refusal to answer means they did pay a ransom.”
the university of windsor declined to comment.
the star, which is appealing uwindsor’s fee estimates, did confirm through the process that what the university has been calling a “cybersecurity incident” was indeed an attack.
advertisement
but the university has never confirmed how many systems were breached, how it occurred, who did it, how many people were affected, and whether it paid a ransom.
after months of failed mediation attempts with a provincially appointed go-between, the star appeal went to adjudication in early november. an adjudicator can review the case and issue a ruling — which now won’t happen until at least 2025.
university systems, including its main website, the blackboard course management site, and the uwinsite student services site went down on june 20, 2022. the fallout lasted weeks.
apart from stating it was investigating and taking steps to mitigate the effects, uwindsor provided few details.
a notice to the university community shortly after the incident said in part: “we apologize for the inconvenience and appreciate your patience. we will be sure to provide additional updates regarding the outage as they become available.”
public interest in the issue is growing as cyberattacks proliferate, often targeting public institutions, which are taxpayer-funded, and with citizens’ private information in the crosshairs.
“universities are really important institutions, so the public at large has a right,” said turk. “even if i’m not a donor or a student or a faculty member at the university of windsor, i would have an interest in universities coming under cyberattacks and what the consequences of those have been.”
advertisement
experts on cyberattacks, and how publicly funded institutions respond to the online ransom demands of hackers, urge transparency by the victims.
file photo
/
postmedia news
hackers hit five southwestern ontario hospitals last year, including those in windsor and leamington, along with their shared service organization. they were demanding about $8 million to keep stolen staff and patient data off the ‘dark web.’
the hospitals eventually provided the public with multiple details about the attack, including their refusal to pay a ransom, which is the advice of governments and police agencies around the globe.
that includes canada, which was among 50 members of the international counter ransomware initiative (cri) that pledged last year to never pay ransoms. law enforcement agencies including the rcmp and the fbi also say it’s the wrong move.
“obviously, the goal is don’t pay,” said terry cutler, a certified ethical hacker and ceo of cyology labs in quebec.
he said an agency’s willingness to pay once might encourage the criminals to strike again, and there’s no guarantee they’ll restore the hacked systems.
“remember, you’re dealing with a criminal,” cutler told the star.
but he added there isn’t always a choice, particularly with organizations such as municipalities that can’t afford to have extended outages.
cybersecurity expert brett callow said ransomware attacks are “pressure-cooker events” that require organizations to rapidly make hard decisions — such as paying a ransom — that could affect relationships with stakeholders.
advertisement
“in other words, it’s a reputational minefield,” said callow, the managing director of cybersecurity and data privacy communications at fti consulting in new york.
in the wake of a cyberattack, he said communication is key.
“clear communications during and after an incident can ensure customers and other stakeholders that the organization has their interests front and centre, reduce legal risks, and reduce the potential for reputational harm,” said callow.
uwindsor’s refusal to share more information prompted the star to file an access to information request in january 2024.
the star sent a similar request to the ontario ministry of colleges and universities, which stated it had no related documents and never received a written report from uwindsor about its cyberattack.
the university said it did send updates to the province, but did not get more specific.
“the university of windsor provided reports and immediate updates to key governing provincial bodies as required in these incidents and as requested,” uwindsor told the star in a march email.
in its information request, the star asked uwindsor for reports addressing issues including whether the university contacted police, if the “incident” was a cyberattack, and whether the university paid a ransom.
advertisement
the star also asked for correspondence between several high-ranking officials, including president robert gordon.
university of windsor president robert gordon addresses graduating students during the school’s 121st convocation at the toldo lancer centre on june 4, 2024.
taylor campbell
/
windsor star
in april, uwindsor said the estimated fee for the documents being requested was $8,907. the star appealed.
while the law does permit institutions to charge fees for access to information requests, turk said institutions often suggest exorbitant costs to deter people.
in a freedom of information fight that began in 2019 and lasted more than three years, the windsor-detroit tunnel corporation tried to charge the windsor star $22,000 for documents addressing delays on the tunnel’s ceiling repair project.
turk said fees might be justified if an organization has people spending months combing through filing cabinets to dig up documents. but many records are now digital, so the time and cost procuring them is diminished, he said.
“but people can still be charged huge amounts,” said turk. “you can appeal it, but then you go through this long protracted process that often means, especially for journalists, you can’t get the information in a timely enough way.”
the star has been told the process will likely take another year, and even longer if the university provides redacted documents and a second appeal is required.
advertisement
uwindsor stated it identified 881 documents, including 6,681 pages and 150 excel documents, that were “likely responsive” to the request. but it added that a large amount of those documents would be exempted using various sections of the freedom of information and protection of privacy act.
turk told the star privacy legislation is “overly restrictive” to begin with and allows for exemptions that “undermine the public’s right to know.” but many organizations take that even further, he said.
“so, you have two problems,” said turk. “one, the law itself is not that great. then you do have many public institutions trying to evade even the things that the law does allow to be released.”
over the last year, through a provincial mediator, the star repeatedly altered its request to decrease the amount of documents and the fee.
in july, the star narrowed the request to only gordon’s emails and direct answers to 11 questions revolving around a potential ransom demand and other issues.
the university said the search of gordon’s emails resulted in 1,818 pages of records, which would cost an estimated $3,698. it answered three of the questions.
uwindsor confirmed it was the victim of a cyberattack and that police were called to investigate. it also gave some insight into the steps taken to restore systems.
advertisement
“the immediate steps taken were to shutdown affected servers, block all traffic through the firewall, and engage third-party support to help with investigation and recovery,” the university said in an emailed aug. 28 letter.
“in recognition of the continuously evolving threat landscape, the university also began a multiyear cybersecurity roadmap implementation to further protect the university community from future cybersecurity incidents.”
uwindsor ignored the other eight questions, stating in the letter that the privacy act doesn’t require institutions to answer questions.
the star again narrowed its request to records from gordon’s emails that would address three basic issues. was there a ransom demand? how much was the ransom? did the university of windsor pay it?
the university applied a blanket search for the term “ransom,” and said it found about 1,086 pages. the fee this time was $2,786, with many exemptions anticipated.
in october, the university suggested through the mediator that the star direct specific questions to its public affairs and communications (pac) department. pac’s previous refusal to answer the questions is what prompted the star to file its information request.
advertisement
after repeated requests to pac over weeks, the office provided a one-sentence response.
“the appeal is being transferred to a case lead who may conduct an inquiry and as such we have no further comments.”
share story
