Mount Royal University confirms ransomware attack that stole and then deleted 10 TB of student and staff data
Mount Royal University in Calgary confirmed that a ransomware group calling itself CMD Organization broke into its shared file storage, exfiltrated data belonging to current and former students and employees, and then deliberately wiped the original files to hamper recovery.
- Victim
- Mount Royal University
On 7 July 2026, Mount Royal University — a public undergraduate university in Calgary, Alberta with roughly 15,000 students — confirmed that a ransomware group had broken into its shared file storage, stolen data belonging to current and former students and employees, and then deliberately deleted the original files to disrupt recovery. The university said it first detected the intrusion on 17 June 2026 and immediately engaged internal technical teams and external cybersecurity experts to investigate and contain the incident.
The attackers targeted the university's "H drive" — a shared file store used by staff and students for personal working files — which held information for both current and former members of the community. A separate "J drive" used for departmental files was also wiped, though the university said there was no evidence that data on it had been accessed before deletion. The "steal-then-destroy" tactic is designed to leave victims without their own copies, increasing pressure to pay even where backups might otherwise have enabled a clean recovery.
A new auction-model extortion group
Responsibility was claimed by CMD Organization, a comparatively new operation whose infrastructure security researchers traced back to late March 2026 and which surfaced publicly around May. The group is notable for building a crypto bidding platform directly into its leak site, turning stolen data into an auctionable asset rather than relying solely on a private negotiation with the victim. To back up its claim against MRU, the group published passport scans as proof and set a roughly one-week deadline to pay around 30 Bitcoin — approximately $1.9 million — before auctioning the stolen data to the highest bidder, a demand reported to be nearly four times the group's average. Analysts have described CMD Organization as having limited operational maturity, leaning heavily on outsourced tooling and initial-access brokers, with phishing assessed as the most probable entry point.
Response and the student-coverage gap
Mount Royal University said it began directly notifying the individuals whose folders were affected and is offering two years of credit monitoring and identity-theft protection to all current employees and to anyone employed by the institution within the past five years. That offer has drawn criticism because it does not extend to students, whose academic and personal files sat on the same compromised H drive. As of the confirmation the university had not said whether it intended to pay the ransom, and with the data already destroyed and an auction deadline looming, the incident remained unresolved.
Financial impact
Reported costs in USD
Timeline
Mount Royal University detects a breach of its network; attackers steal data from a shared file store and delete the original files.
The university publicly confirms the ransomware attack; CMD Organization claims responsibility, publishes passport scans as proof, and demands roughly 30 Bitcoin (about $1.9 million).
Reporting notes that MRU is offering two years of credit monitoring to current and recent employees but not to students whose files were on the same compromised drive.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/mount-royal-university-confirms-breach-as-hackers-claim-attack/
- securityweek.comhttps://www.securityweek.com/mount-royal-university-confirms-data-stolen-in-ransomware-attack/
- scworld.comhttps://www.scworld.com/brief/mount-royal-university-hit-by-ransomware-attack-data-stolen-and-deleted
- comparitech.comhttps://www.comparitech.com/news/cybercriminals-say-they-hacked-mount-royal-university-demand-ransom/
- cbc.cahttps://www.cbc.ca/news/canada/calgary/mru-cyberattack-personal-data-9.7261930
- labs.beazley.securityhttps://labs.beazley.security/articles/cmd-organization-new-ransomware-operator-moves-to-place-public-bidding-wars-on-ransomed-data