This article previously appeared under the headline "UBC faces cyber attack," and has been updated as new information became available.
On Thursday, April 14, UBC announced that it has been the target of what they are identifying as a “brute force attack” against their identity management infrastructure. This infrastructure, put simply, is the CWL log-in and password that every student has.
“We actually haven’t had a security breach, and it’s not a hack. Those are common terms, but I want to be really clear,” said Don Thompson, deputy chief information officer with the university's information security.
He likened the “attack” to someone throwing homemade keys at a door, hoping that one lands in the lock and also turns — the possibility of this method working is very small.
“Regrettably, most organizations and institutions face continuous attempts at hacking. It’s the reality in which we all live and work,” said Susan Danard, the managing director of UBC public affairs, in an emailed statement to The Ubyssey.
UBC IT identified the problem as an attempt to hack into the system using the Remote Desktop Protocol, which allows people to use computers outside of UBC’s campus to access the UBC system. Approximately 1,300 UBC user systems have this application.
“To put this into perspective, UBC has about 60,000 students and 15,000 faculty and staff,” said Danard.
This attempt alerted technology staff because although they reportedly see multiple security breach attempts every day, this particular instance involved many attempts over a relatively short period of time. It is neither a bug in the software nor a security flaw.
All users are being notified about the problem, and access to the Remote Desktop Protocol is being limited, with workarounds being provided for those who need remote access.
Thompson can confirm that no personal information was compromised. “We have not found any compromises, and we do not expect to,” he said, “but we are going to really carefully look to make sure. So that’s our next step now.”
Students and staff may be asked to reset their passwords as a result of the attack, but Danard says that this will be done with user convenience in mind. Thompson added that changing passwords for accounts as important as the CWL log-in is a good idea regardless of the instance. Passwords containing letters, numbers, and symbols are the strongest.
“This will be rolled out in a staggered way to minimize disruption to students, faculty, and staff, and will be communicated to users over the next few days,” said Danard.
“We’re not at this point going to, right in the middle of finals, tell every student and everyone in faculty office to change their passwords,” said Thompson. “We don’t want to add more stress than is due — we are being careful, we are being diligent.”
UBC IT is currently reviewing its security infrastructure, protocols and policies to determine what actions it can take to further strengthen its system.
This article has been updated to include comments from Don Thompson.