U of T’s financial auditor Ernst & Young LLP (EY) contacted impacted students and staff members in November about a security breach that may have compromised sensitive personal information. 

Between May 27–31, 2023, a Russian ransomware group called CL0P conducted a ransomware attack, gaining unauthorized access to data from companies including EY, TD Ameritrade, PwC Canada, and the BBC, threatening the security of information from more than 62 million people. 

Breaking down the attack

MOVEit Transfer is a software product that simplifies file transfers between organizations. Since its creation in the early 2000s, a number of companies have used the system to exchange files and data between servers. However, the software had a vulnerability: a bug in the system could allow unauthorized actors to gain access to databases stored in MOVEit. Progress, the system’s developer company, didn’t detect the vulnerability until May 31 — likely after the attack had occurred.

The ransomware group CL0P exploited this unaddressed weakness in the system to conduct the biggest data theft of 2023. In an interview with The Varsity, David Lie, a professor in the electrical and computer engineering department at U of T, said that the key motivation behind these ransomware attacks tends to be profit, which means groups seek out bigger organizations. 

The attack impacted over 2,000 companies, including EY, in a myriad of industries ranging from finance to journalism. In total, it threatened information from 62 million people who work for the affected organizations and their partners. 

As of November 2023, the ransomware group claimed it had access to three terabytes of EY data, which it threatened to sell after negotiations with the company failed. Lie explained that individuals’ data, more and more of which is stored online, often “becomes collateral damage” in attacks like this as ransomware groups try to induce companies to pay up. 

Ernst & Young LLP and U of T

Since 2014, EY has worked as the external auditor for U of T, entrusted with examining a number of records for the university, including its enrolment records. To conduct the auditing process, EY obtains information about U of T students and employees, and transfers files using MOVEit. When CL0P intercepted the system, it gained access to sensitive information from the EY database. 

An email from EY to affected students and employees sent in November 2023 states that CL0P may have accessed personal data, including impacted community members’ “name, gender, date of birth, information relating to your employment (such as your employee ID and compensation and benefits), and information relating to your education (such as your student ID).” 

In a statement to The Varsity, a U of T spokesperson wrote, “Before U of T shared information with EY, precautionary steps were taken to redact any unnecessary data to protect personal information.” While data from U of T was affected, CL0P did not gain access to systems at U of T itself. 

EY confirmed that it has begun an investigation into the matter and has taken the required steps to protect the stolen data. Further, it asked individuals to be cautious of phishing emails and unsolicited communication from unknown sources.

U of T became aware of the attack impacting EY in June. On June 27, the U of T Governing Council renewed its partnership with EY for the year 2023–2024 — days after multiple news sites had reported that the attack impacted EY. The documents submitted to governors about the decision did not mention the attack. When asked why governing council members weren’t informed of the attack before deciding to reappoint EY, a U of T spokesperson did not address the question.

In an email to The Varsity, a U of T spokesperson wrote that the university worked to notify impacted students “as quickly as possible” but that determining whose information may have been compromised took “significant time due to the nature and amount of data involved.”

The spokesperson did not answer The Varsity’s question about how many community members may have been impacted by the attack.

Responses from students

After receiving the email from EY about the data leak, some U of T students said they did not fully understand the situation and raised questions about the leak. When asked for her thoughts on the situation, second-year engineering student Sanskruti Jadhav told The Varsity that while “the email was easy to comprehend,” the lack of information in it worried her. 

Other students initially doubted the reliability of the email. Third-year computer engineering student Krishna Advait Sripada wrote in an email to The Varsity that since the letter looked suspicious, he didn’t originally worry too much about it. Angel Rajotia, a third-year industrial engineering student whose data was compromised, wrote that she’d received similar emails in the past and hence had difficulty judging its veracity. Coordinated phishing attacks have impacted thousands of U of T students in the past, and U of T wrote in October about increases in malicious QR-code phishing attacks.

Another source of worry and confusion for Rajotia was that she’d been looking for internships at EY. From the information EY released, she couldn’t tell whether CL0P could have accessed the information she’d submitted in the application process. 

Protecting your data

To protect themselves from such attacks, Lie recommends that companies hire good IT professionals who ensure systems are set up properly. On an individual level, he suggested that students and employees create stronger passwords. 

He also stressed the importance of setting up multi-factor authentication in addition to having a strong password. This additional step asks users to provide additional information such as a code, password, or fingerprint. Since 2022, U of T has required all community members to set up U of T multi-factor authentication to enhance their security. Lie emphasized that “this is really one of the main ways to kind of protect your assets to U of T.

Ernst and Young LLP did not respond to The Varsity’s request for comment in time for publication.