Could Your Data Be in the Mount Royal University Data Breach? Here’s What We Know

July 9, 2026
by
Abhijay Bhatnagar
deleteme

Could Your Data Be in the Mount Royal University Data Breach? Here’s What We Know

If you used Mount Royal University’s network storage, this one hits close to home. MRU says an attacker accessed and took data from certain “H drive” folders used by students and employees—and then deleted the originals to slow recovery. At the same time, MRU reports a separate “J drive” used for departmental data was wiped, with no evidence (so far) that J drive data was copied before deletion. Here’s what happened, who might be affected, what the extortion group is claiming, and what you should do right now while you wait for MRU’s direct notification.

What happened on June 17 (and what MRU has actually confirmed)

Mount Royal University says the June 17 cyberattack wasn’t just “systems down.” It was a data breach plus destructive deletion—a combo that makes both privacy and recovery harder.

Here’s what MRU has confirmed so far: an unauthorized actor accessed and took data from certain folders on the university’s “H drive”, a network storage drive used by students and employees for file storage. After taking the data, the attacker wiped the original copies to disrupt recovery.

That detail matters. It means this isn’t only a question of “Were my files exposed?” It can also be “Are my files gone?”—because the attacker’s move wasn’t accidental damage. It was intentional friction: delete what you stole so the organization can’t quickly verify what’s missing or restore operations cleanly.

The H drive: accessed, taken, then wiped

MRU’s statement is specific on two key points:

  • Data within certain H drive folders was accessed and taken by an unauthorized actor.
  • The original copies were wiped to slow down recovery efforts.

If you’re thinking, “But my stuff was just class files,” remember what people commonly store in school folders when deadlines hit: scanned IDs, forms, work-study paperwork, old resumes, immigration docs, financial info—whatever was needed at the time.

The J drive: wiped, and MRU says there’s no evidence (yet) it was copied

MRU also described a separate impact: attackers wiped a different drive called the “J drive,” used for departmental data. MRU says there is currently no evidence that J drive data was accessed or copied before it was deleted, and they’re still trying to recover it—but a full recovery may not be possible.

That “no evidence” line is worth reading carefully. It’s not the same as “it definitely wasn’t accessed.” It’s MRU telling you what their investigation can support right now.

What MRU is doing (and why timelines aren’t instant)

MRU says it has engaged technical teams and external cybersecurity experts to investigate and support recovery after the June 17 incident.  MRU also warned recovery could take several weeks to months.

They’ve also reported the incident to the Alberta Information and Privacy Commissioner and to law enforcement.

If you’re trying to figure out whether your data is part of the Mount Royal University data breach, the uncomfortable truth is that the confirmed facts already point to two separate risks: H drive data theft (privacy) and H/J drive wiping (availability). And those risks don’t hit everyone the same way.

Who could be affected—and why it’s taking time to get a straight answer

After a breach like this, the first question is always the same: “Is it me?” MRU’s public language gives a clue, but it doesn’t give a clean list of names—yet.

Who MRU says could be impacted

MRU has stated the affected H drive folders contained information impacting:

  • Current and former students
  • Current and former employees
  • “Other individuals” (MRU doesn’t define this category publicly)

That last line matters. “Other individuals” can mean a lot of everyday university-adjacent people whose info ends up in someone else’s folder: research participants, student placements, vendors, contractors, or community partners. MRU hasn’t confirmed which of those applies here—just that the category exists.

Why MRU can’t instantly say what data was exposed for each person

MRU has also been direct about why the answer is slow and uneven: the exposed data varies by person, and because the data has been deleted, figuring out the exact impact for each individual is complicated and will take time.

Here’s what that looks like in real life:

  • Two people can both have “H drive data,” but one folder might be harmless classwork while another includes high-risk documents.
  • When attackers delete local copies, it can reduce the number of easy reference points investigators normally use to confirm what was in a folder at a specific moment.

So if you’re waiting for a simple “yes/no” checker, this is why it’s not happening right away.

What MRU says about notifications

MRU says that once impacted individuals are identified, they’ll be contacted directly via personalized notifications.

Personalized notice is a good sign in one way: it usually means you’ll get details that actually apply to you (not a vague campus-wide email). The downside is timing. You may be in a “possible exposure” bucket for a while, especially if your relationship with MRU is older (former student, former employee) and records have to be matched carefully.

What the attackers are claiming (CMD Organization, samples, and the 30 BTC demand)

If MRU’s updates answer “what’s confirmed,” the attacker’s posts answer a different question: what they want you to believe—and what they’re using as pressure.

CMD Organization’s claim: stolen data + proof samples

A threat group calling itself CMD Organization has claimed the Mount Royal University attack. They say they stole MRU data and have published sample files as proof, including passport scans and other sensitive documents.

A key point here: a “sample” doesn’t have to be large to cause damage. A single clear ID scan can be enough for downstream fraud attempts, especially when mixed with other leaked details from unrelated breaches.

The 30 BTC demand and the short response window

CMD Organization reportedly demanded 30 BTC (reported as about $1.9 million at the time) and gave MRU six days to respond before leaking the full dataset.

That timeline is part of the playbook: compress decision time so the victim has less room to investigate, restore, and communicate clearly.

What an “extortion site” changes for regular people

When a group uses an extortion site, it’s not just a private negotiation. It creates public pressure and a resale path.

CMD Organization appears to run an auction-style system, offering to sell stolen data exclusively to the highest bidder, and it operates both a clear web and dark web portal.

Practical risk, without the drama:

  • More eyes on the data: once posted or sold, it can spread quickly.
  • Secondary scams spike: attackers (or copycats) use leaked context to craft emails that feel “inside baseball” (think: document verification, account reactivation, tuition issues).
  • Long tail exposure: even if nothing happens this week, the same files can resurface later.

This is why it’s smart to treat the MRU incident as both a data breach and a social-engineering risk—especially if you’ve ever stored identity documents in school-related folders.

What to do right now (before MRU contacts you): a practical checklist

When stolen data is being used as extortion fuel, your biggest risk in the short term is secondary fraud: phishing, account takeovers, and “verification” scams that feel believable because they reference MRU and real campus processes.

1) Treat MRU-themed messages as suspicious by default

Be extra careful with anything that mentions:

  • “storage recovery”
  • “document verification”
  • “urgent reactivation” of an MRU account
  • attachments claiming to be “restored files” or “ID forms”

Rule of thumb: if you didn’t start the request in a known MRU portal, don’t click. Go directly to MRU’s official site by typing it in yourself.

2) Reset passwords where it actually matters (and do it in the right order)

Prioritize accounts that can be used to reset other accounts:

  1. Email accounts (personal + any school/work inboxes you still access)
  2. Banking + payment logins
  3. Government service logins (where applicable)
  4. Anything tied to your MRU identity (single sign-on, alumni portals, old student services)

If you reused a password anywhere, assume it’s already in circulation. Switch to a password manager and turn on multi-factor authentication (MFA) wherever you can.

3) Lock down your “money movers” and “identity anchors”

These are the accounts attackers love because they have clean payout paths or strong identity signals:

  • Bank accounts and credit cards: turn on transaction alerts
  • Mobile carrier account: add a port-out/SIM swap PIN if your provider supports it
  • Marketplace and payment apps: review saved cards, addresses, and recent logins

4) Start a paper trail now (it saves you time later)

Create a simple notes file or folder and log:

  • dates/times of suspicious emails or calls
  • screenshots of messages
  • any password resets you do
  • any financial account changes you make

If a fraud case pops up months from now, you’ll want that timeline.

5) Use the protection MRU says is available (if you qualify)

MRU has said it’s offering two years of credit monitoring and identity theft protection to all current employees and individuals employed in the past five years.

If that’s you, contact MRU and ask:

  • what provider is being used and how to enroll
  • what identity monitoring is included (credit file monitoring vs. broader identity monitoring)
  • what support you get if fraud happens (case management, insurance coverage, document help)
  • what proof of eligibility they need (especially if you’re a former employee)

Even if you’re not eligible for this specific offer, you can still take the same “monitor and document” approach while you wait for MRU’s personalized notice.

How to lower your exposure going forward (especially for student and school admin workflows)

A lot of school-related identity risk isn’t malicious. It’s habit. You scan a passport once for a form, upload it to a shared folder, then forget it exists.

If the MRU situation teaches anything, it’s this: shared storage + sensitive documents is a bad long-term pairing. Attackers don’t need your whole life. They just need one folder where you were rushing.

Make “school identity” smaller than your real identity

For students and staff, the goal is simple: if a university account or storage area is breached, it shouldn’t automatically expose your main contact points or your highest-value documents.

Do this in practice:

  • Use a dedicated school-only email for applications, forms, clubs, and external placements.
  • Use a dedicated school-only phone number for forms that demand SMS or calls (common with program coordinators and third-party platforms).
  • Keep a separate “submission-only” folder on your own device for sensitive documents, then delete or archive safely once the process is done.

Why this works: breaches often turn into targeted phishing. If attackers have your real phone number and primary email, it’s easier to reach you and harder to filter the noise.

Stop treating network drives like filing cabinets

Shared drives are built for collaboration, not for keeping high-risk identity files for years.

A safer workflow for passports, IDs, tax forms, and banking info:

  1. Store locally first, encrypted if possible.
  2. Upload only when required (and only the exact pages/fields needed).
  3. Remove it after confirmation (or replace with a redacted copy).
  4. Keep a simple log of where you uploaded what (even a note in your phone helps).

For school admin teams, this is also a policy issue: build “auto-delete” into intake processes, and make secure upload portals the default so staff aren’t forced to use shared folders as an inbox.

A practical tool option: mask your contact channels

Privacy tools can help reduce fallout when an organization gets breached. For example, Cloaked lets you create masked emails and phone numbers you can use on sign-ups and forms, so a future breach doesn’t automatically hand over your primary inbox or personal number.

That’s not a magic shield. It’s just smart containment:

  • If a masked email starts getting phishing, you can mute or rotate it.
  • If a masked number starts getting scam calls, you can shut it off without changing your real number.

At the end of the day, the strongest move is boring: share less, store less, keep it for less time. That’s what lowers your exposure across any university data breach—MRU or otherwise.

View all

Could Your Business Be Next? What the Ryuk Guilty Plea Reveals About “Initial Access”

Data Breaches
by
Arjun Bhatnagar

Can You Protect Your Voter File Privacy by Shrinking What’s Publicly Linked to You?

Data Breaches
by
Arjun Bhatnagar

Is Your University Webmail Exposing You to a Roundcube Vulnerability Spy Campaign?

Data Breaches
by
Abhijay Bhatnagar