grid
Abstract circular gradient with concentric rings in blue, green, yellow, and red fading into black background.
5 min read

Mount Royal University Data Breach Exposes Student Records

Mount Royal University Data Breach
Published on
July 9, 2026

Mount Royal University has confirmed a data breach after hackers broke into its network, stole files, and deleted the originals. The Calgary-based institution disclosed the data breach in a public update this week. The intrusion disrupted online services and internal systems across campus. A threat group calling itself CMD Organization has since claimed responsibility and posted sample data on its extortion site.

The incident affects current and former students and current and former employees. It also affects an additional group the university describes only as "other individuals." Mount Royal University serves roughly 11,500 students and thousands of staff. The exposure could reach a wide population once the university finishes its review.

How the Mount Royal University Data Breach Unfolded

The Mount Royal University breach began on June 17, 2026, when hackers gained access to the university's network. They reached the "H drive," a shared storage system that students and staff use to save personal and coursework files. The attackers copied data from that drive first. Then they deleted the original files, a move designed to slow recovery and increase pressure during negotiations.

A second storage system, the "J drive," holds departmental records, and attackers wiped it too. The university has not yet found evidence that data from the J drive was copied before deletion. The attackers destroyed files rather than simply viewing them. That makes determining exactly whose information they took slower than in a typical breach.

Mount Royal University took systems offline to contain the intrusion. The university also brought in external cybersecurity specialists to investigate the incident. It reported the data breach to the Alberta Information and Privacy Commissioner and to law enforcement. Recovery is expected to take weeks, and in some cases months, before normal operations fully return.

CMD Organization Claims the Attack

CMD Organization, a relatively new extortion group, listed Mount Royal University on its leak site. The published sample files reportedly include passport scans and other sensitive documents. The group claims to hold a much larger cache of stolen data. It gave the university a short deadline to respond before it threatens a full release.

According to the group's posted demand, CMD Organization wants 30 bitcoin, worth close to 1.9 million dollars at current prices, in exchange for not leaking the files. This ransom sits at the center of the Mount Royal University data breach story. The university has not confirmed if it will pay.

What sets CMD Organization apart from many ransomware and extortion crews is its auction format. Rather than offer victims a simple choice between paying and having their data published, the group markets stolen data to the highest bidder on its site. This model turns a breach into a competitive sale. It can also shorten negotiation timelines, because victims fear a rival buyer might acquire their data first.

CMD Organization currently lists 30 organizations as victims across its clear web and dark web portals. Independent researchers have not verified the group's claims about the volume and sensitivity of the Mount Royal University data. The university has not confirmed the group's figures either. Details from an active extortion listing should be treated as unproven until confirmed by the institution or independent researchers.

What Mount Royal University Is Doing Now

Mount Royal University is offering two years of credit monitoring and identity theft protection. The offer currently covers current employees and anyone who worked at the institution within the past five years. The university has not yet extended a similar offer to affected students. Its investigation is ongoing, so the scope of impacted individuals may still expand.

The university has not disclosed how the attackers first gained access to its network. Common entry points for this kind of intrusion include phishing emails, stolen credentials, and unpatched remote access systems. Mount Royal University has not attributed the breach to a specific method yet. A full accounting of the incident should follow once the forensic investigation concludes.

What the Mount Royal University Data Breach Signals for Higher Education

Deleting original files after copying them marks a shift from earlier extortion playbooks, where attackers left source data intact and simply threatened to publish stolen copies. Wiping the originals adds a second layer of damage. Even if a victim organization refuses to pay, it still has to rebuild lost records from backups. That only works if those backups survived the attack.

Higher education institutions remain frequent targets for this kind of attack. They store large volumes of personal, financial, and academic data. But they often run smaller security budgets than comparable private organizations. Universities also maintain many independent departmental systems, and that structure can create gaps in how consistently staff back up and monitor data across campus.

The Mount Royal University data breach adds to a steady stream of incidents at post-secondary institutions across North America over the past year. Extortion groups continue to experiment with new pressure tactics. That includes the auction-based model that CMD Organization uses. Universities now face growing pressure to modernize both their defenses and their incident response planning.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.