Mount Royal University (MRU) in Calgary has confirmed that attackers breached its network on June 17, 2026, stealing data from its primary file storage systems and deliberately wiping copies to obstruct recovery. The university disclosed the incident in a public update, noting that external cybersecurity experts have been engaged alongside internal technical teams.

What Was Accessed and Destroyed

The confirmed impact centers on the university’s H drive, a shared storage volume used by students and employees. Investigators determined that an unauthorized actor accessed and exfiltrated data from certain folders on that drive. Those folders contained information belonging to current and former students, current and former employees, and an additional category of unspecified individuals.

A second drive, designated the J drive, was used for departmental data. Attackers wiped that drive entirely. MRU stated there is currently no evidence that J drive data was accessed or copied before deletion, though the university cautioned that a full recovery of that drive may not be possible.

Because the original data was deleted, MRU noted that determining the precise scope of exposure for each affected individual is complicated and will require additional time. Affected individuals will be contacted directly once identified.

CMD Organization Claims Responsibility

The extortion group CMD Organization has claimed responsibility for the attack, publishing samples of allegedly stolen data on its site, including passport scans and other sensitive documents. The group demanded a ransom of 30 BTC, approximately $1.9 million at current valuations, and gave MRU six days to respond before threatening to release the full dataset.

CMD Organization operates both a clear web and a dark web portal and uses an auction-style model, offering stolen data exclusively to the highest bidder. The group currently lists 30 organizations on its extortion site.

Scope and Response

MRU serves roughly 11,560 students and 12,500 undergraduates. The attack disrupted online services, internet access, and various internal systems. The university has reported the incident to the Alberta Information and Privacy Commissioner and to law enforcement.

Full restoration of affected systems is expected to take several weeks to months. As a precautionary measure, MRU is offering two years of credit monitoring and identity theft protection to all current employees and individuals employed within the past five years.