Mount Royal University (MRU) has confirmed a cyber attack that resulted in hackers stealing and erasing certain student and employee data.
Formerly known as Mount Royal College, Calgary, Alberta, Canada-based MRU was founded in 1910. It currently offers 13 degrees with over 11,560 undergraduate and 12,500 postgraduate students.
MRU learned of the cyber attack on June 17, 2026, and launched an investigation that determined unauthorized access had occurred.
Cyber attack disrupts operations at Mount Royal University
The attackers accessed and wiped certain folders in “drive H” containing data belonging to current and former students and employees.
“We regret to inform our community that our investigation has now shown that data within certain folders on the University’s ‘H drive’ was accessed and taken by an unauthorized actor,” the university stated.
The hackers also deleted departmental data stored in a drive labeled “J” but did not exfiltrate it. The cyber attack also disrupted online services, internal systems, including registration systems and payroll, telephone services, and internet connectivity across the university.
Meanwhile, MRU has hired cybersecurity experts to assist in investigating the cyber attack and is notifying affected individuals. Calgary police and the Alberta Information and Privacy Commissioner have also been notified of the cyber attack and have launched an investigation.
“We have retained external cyber security experts to assist with the response and investigation, and we are following our established incident response protocols,” the university said in an update post.
Additionally, MRU has deployed a new wireless network to enable students to access their emails while restoration efforts continue. The university is also offering two years of identity theft protection services to individuals it employed within the past five years.
However, MRU has not disclosed the nature of the stolen information, but it could contain personal information depending on the files individuals stored in the compromised folders. Nevertheless, the cyber attack did not compromise corporate data or employee information. However, the university was still investigating whether employees had uploaded corporate data in the affected folders.
CMD Organization ransomware group demands $1.9 million
MRU has confirmed that the cyber attack was a ransomware incident. An upcoming ransomware group called CMD Organization has also taken responsibility for the cyber attack at Mount Royal University and claims it stole 10 TB of data. The group demands $1.9 million or 30 bitcoin as ransom to avoid leaking the stolen information online.
“CMD Organization is a relatively new gang but it’s quickly gaining notoriety with some hefty ransom demands and crippling attacks,” said Rebecca Moody, Head of Data Research at Comparitech. “This case against MRU highlights just how devastating ransomware attacks on the education sector can be, both in the downtime caused through the encryption of systems and the theft of data. MRU hasn’t confirmed what, if any, data has been stolen in this attack, but CMD’s ransom of $1.9 million (nearly four times its average demand of $580,000) and the alleged theft of 10 TB suggest there could have been an extensive breach. As part of its proof pack, CMD uploaded various identity documents.”
First detected in May 2026, CMD Organization is a ransom-as-a-service (RaaS) cybercrime gang that operates on double extortion and has claimed at least 32 victims across 10 countries. Its alleged victims include Port Angeles Composite, METCO Services, Medlink Georgia, Fidelity Security Group, WholeHealth Chicago, Wall ISD, and Lake Washington School District.
Cybercriminals continue to target learning institutions
Schools are attractive targets for cybercriminals due to the large volumes of personal information they collect and store from students and employees. Schools are also highly vulnerable to operational disruptions, particularly those affecting online learning, assignment submissions, and end-of-year assessments or coursework.
In June 2026, Oxford University confirmed a cyber attack that leaked personal information after hackers breached its third-party-managed CareerConnect portal.
Another cyber attack on the Instructure-owned learning management system (LMS) Canvas leaked nearly 280 million records from 8,809 colleges, school districts, and online learning platforms.

