The Breach That Won't Go Away
Mount Royal University in Calgary just confirmed what they'd been quietly investigating for weeks: their network got breached on June 17, and the attackers didn't just walk out with data. They came back to make sure recovery would be painful.
Here's what happened in plain terms. The CMD Organization extortion group got into MRU's systems, pulled files off a drive students and staff use daily—the H drive—and then wiped a separate departmental drive (the J drive) clean. No evidence the J drive data was even accessed before deletion. Just pure sabotage.
The university dropped an update on its website acknowledging the incident, saying they've brought in external cybersecurity experts and technical teams to figure out exactly what was taken and how deep the damage goes. Recovery could take anywhere from several weeks to months, depending on what they're working with.
This is exactly the kind of artificial intelligence cybersecurity threats landscape we keep warning about—where threat actors aren't just stealing data anymore. They're weaponizing it, deleting backups to force your hand, and running extortion schemes that feel more like auction houses than ransomware operations.
What the CMD Organization Actually Took
MRU's announcement was specific about what got hit. The H drive contained folders with information affecting current and former students, current and former employees, and what they called "other individuals." Passport scans have already surfaced on the CMD Organization's extortion site, which tells you exactly how sensitive this data was.
The J drive story is worse in a different way. MRU said there's currently no evidence that J drive data was accessed or copied before it was deleted. They're still working to recover that data, but a full recovery may not be possible.
So you've got stolen personal documents from one drive, and another drive's worth of departmental data just... gone. The university noted that determining the exact impact for each individual is complicated precisely because so much has been deleted. They'll contact affected people directly with personalized notifications once they figure out who's impacted.
MRU has 11,560 students and 12,500 undergraduates. That's a lot of people whose personal information might be floating around on a criminal's server right now.
The Ransom Demand and Auction Mechanics
Here's where this gets interesting from a threat actor perspective. CMD Organization isn't just asking for money and disappearing. They're running what looks like an auction-style system.
The group demanded 30 BTC—currently around $1.9 million—from MRU, giving the university six days to respond before they leak the full set of stolen information. But here's the twist: CMD appears to use an auction system where they sell the stolen data exclusively to the highest bidder. They're currently listing 30 organizations on their extortion site and operate both a clear web and dark web portal.
Think about that for a second. You've got a ransomware group essentially running a marketplace where multiple victims or interested parties can bid on access to stolen data. It's extortion meets e-commerce, and it changes the calculus for anyone considering whether to pay.
The university reported the incident to the Alberta Information and Privacy Commissioner and law enforcement authorities. Standard procedure, but it doesn't make the situation any less stressful for the people whose data is out there.
Why Universities Are Sitting Targets
Let's be honest about why institutions like Mount Royal University keep ending up in these breach announcements. They're running complex networks with thousands of users, legacy systems that haven't been patched because "it's a university, not a bank," and students who will click on anything that looks interesting.
MRU has over 100 years of history as a public institution. That kind of longevity often means layers of technical debt, systems that were built for a different era, and security teams who are constantly playing catch-up. The university is offering two years of credit monitoring and identity theft protection to all current employees and individuals employed in the past five years. That's not exactly a consolation prize.
The broader pattern here connects directly to how artificial intelligence cybersecurity threats are evolving. Threat actors aren't just using AI to find vulnerabilities faster—they're using it to automate the entire attack chain, from initial access to data exfiltration to the extortion follow-up. The CMD Organization's auction system? That's not something you build manually for 30 different victims. There's infrastructure behind this, and it's getting more sophisticated by the day.
MRU said they'll provide updates as new details become available. Given that recovery might take months, we should probably expect more announcements before this story is fully resolved.