Mount Royal University has confirmed that hackers stole personal data belonging to students and staff, deleted it, and are now holding it for a $1.9 million ransom. In the response the university has laid out, one group is being offered years of protection. The other, whose files sat on the exact same drive, is not.
The Calgary university first told its community on June 17 that it was dealing with technical disruptions. On July 7, it confirmed what that disruption actually was: a ransomware attack that stole and then destroyed employee and student data.
What happened, and when
Attackers broke into MRU's network on June 17, disrupting online services, internal systems and internet access across campus. Payroll and student accommodation registration were among the systems knocked out.
Once inside, they reached the university's "H drive," a shared network storage system that students and employees use to save personal files and coursework. They copied data from it, then deleted the originals. In the university's own words, the attacker "then deleted our H drive data to impede our recovery."
A second system, the departmental "J drive," was also wiped. MRU says there's no evidence data was copied off it before deletion, but a full recovery of it "may not be possible."
The university says its analysis indicates the attack hit specific folders on the H drive rather than the entire thing, and that it would begin directly notifying the employees and students whose folders were compromised within a week. Recovery, it says, could take weeks to months.

The ransom, and the group behind it
A ransomware group calling itself CMD Organization has claimed responsibility, listing MRU on its leak site and demanding 30 bitcoin, about $1.9 million, within a week. To prove it has the data, the group posted samples, including scans of passports and other identity documents.
CMD is new. Its infrastructure first appeared in late March 2026, and it has claimed 32 victims across 10 countries since, though only four have been confirmed by the organizations targeted. Its average ransom demand is around $580,000, which makes the $1.9 million it wants from MRU nearly four times its usual ask, and hints at how large it believes this haul to be.
What sets CMD apart is how it makes money. Most ransomware crews give a victim a simple choice: pay, or we publish your data. CMD runs an auction. It offers stolen data to the highest bidder on a site reachable on both the open and dark web, which means even an organization that refuses to pay can watch its data sold off to whoever wants it. MRU has not said whether it will pay, and has not confirmed CMD's specific claims about the volume of data taken.
Why "stole then deleted" is worse than a normal hack
Traditional ransomware locks up your files and demands payment for the key. Newer attacks add data theft on top: steal a copy, then threaten to publish it. What happened at MRU is the harsher version. The attackers copied the data, then deleted the originals.
That does two things. It slows recovery, because the university can't simply decrypt its files, it has to rebuild them from backups, if it had good ones. And it leaves the criminals holding the only remaining copy of some of that information. It's a tactic built to maximize pressure, and security researchers say it has become the dominant approach among ransomware groups.

The part that should bother students
Here's where MRU's response gets uncomfortable.
The university says it will directly notify both employees and students whose folders were compromised. But the two years of free credit monitoring and identity-theft protection it's providing is being offered only to employees, current ones and anyone employed there in the past five years. Students whose files sat on the very same H drive are being told they were affected, then left to arrange their own protection.
The distinction is hard to justify on the facts. The H drive is shared. Student data and employee data sat side by side in it. A passport scan or a transcript belonging to a student is exactly as useful to a criminal as one belonging to a staff member, arguably more so, since young people with thin credit histories are prime targets for identity fraud that can go undetected for years.
And credit monitoring is only part of what's at risk. The bigger, longer-tail danger from a breach like this is targeted phishing. Stolen data gets folded into scam kits, so a fraudulent email can reference a real course, a real student ID, a real address, making it look legitimate. Anyone whose information was taken, student or staff, is more likely to receive convincing scam messages for months. A student who gets a breach notice but no monitoring won't have the same safety net an employee does.

What to do if you're connected to MRU
Whether you're a current student, a former one, current staff or a past employee, it's reasonable to assume your information may have been exposed and to act accordingly.
Watch for phishing. Treat any unexpected email or text referencing MRU systems, financial aid, HR, payroll or student accounts with suspicion, especially anything asking you to log in or confirm details. Go to the university's real website directly rather than clicking links.
Watch for identity fraud. Keep an eye on bank and credit card statements, and consider requesting a free credit report from Equifax or TransUnion Canada to check for accounts you didn't open. You can request a credit freeze or fraud alert through both bureaus at no cost.
If you're an eligible employee, take the credit monitoring MRU is offering, details are coming by email and mail. If you're a student, you can still monitor your own credit for free, you just have to set it up yourself, which is precisely the gap in the university's response.
Change your MRU password and any password you reused elsewhere, and turn on two-factor authentication wherever it's offered.
Where this stands
MRU says it has reported the breach to the Alberta Office of the Information and Privacy Commissioner and to law enforcement, and is working with external cybersecurity specialists. It has set up an FAQ on its emergency site that it says will be updated as the investigation continues.
For now, the ransom deadline set by CMD has passed, the stolen data is in the hands of a group that auctions what it takes, and the university's own students are being told their information was among it, without the protection their professors and administrators are getting.
Sources:
Mount Royal University, news release and emergency updates, June 18 and July 7, 2026 (emergency.mtroyal.ca)
Alberta Office of the Information and Privacy Commissioner (breach reported)
Comparitech, CMD Organization analysis (Paul Bischoff; Rebecca Moody, Head of Data Research)
CMD Organization data leak site listing, as documented by security researchers









