Following a widespread cyberattack on the AMS’s email server, Microsoft Exchange, the student society will be switching email servers to Office 365.
Microsoft found vulnerabilities in its Exchange servers as early as January 6, 2021. The Canadian Centre for Cyber Security reported in March that it had learned that “malicious actors [were] actively scanning using automated tools to identify unpatched servers” and encouraged organizations with “unpatched external facing servers” to work to mitigate the possibility of cyber attacks.
AMS President Cole Evans said the student society quickly put measures in place to protect it from any vulnerabilities.
“It was a pretty widespread vulnerability that existed for a lot of organizations. Obviously when you have a vulnerability that’s widely accessible, it can potentially have serious implications on your tech infrastructure,” said Evans.
Evans said the society was among those vulnerable to attack.
“We don’t believe there is any security risk to the AMS, but we did take precautions to make sure that we didn’t potentially open ourselves up to any vulnerabilities,” Evans said.
In Executive Committee meeting minutes, the AMS’s Chief Technology Officer Hong-Lok Li called the breach “an alarming situation” and noted that the society had received no help from Microsoft. He advocated for a “secure, supported system.”
While the AMS saw privacy breaches through its student engagement platform CampusBase last year, Evans said students’ information is safe.
“I wouldn’t say there’s a very significant risk to students,” he said.
“This is more of an operational risk for us. I think that students can rest assured that our IT team was able to act swiftly. Any potential security exploits were taken care of.”
CCCS has directed Canadian organizations to contact the centre for any help on the matter, but Evans said the AMS hasn’t seen the need to.
“While cybersecurity does impact students to an extent, it’s probably not a topic that has a direct impact on students. Nor have we encountered any serious enough breaches that we’ve had to get in contact with police or any other government institutions,” he said.