Skip to content
feed: live
>_ 0dayNews
ransomware
● Breaking

Mount Royal University confirms June breach, 30 BTC demand

Mount Royal University confirms a June 17 intrusion exfiltrated H drive data. A group calling itself CMD demands 30 BTC before the stated leak deadline.

Mount Royal University confirms June breach, 30 BTC demand
Photo: Chris Woodrich / Wikimedia Commons · CC BY-SA 4.0
airgap · Published · 3 min read

Mount Royal University in Calgary confirmed on 2026-07-08 that data in the university’s “H drive” was accessed and taken by an unauthorized actor during a June 17 intrusion, per BleepingComputer’s coverage of the university’s public statement. A group calling itself CMD Organization has claimed the theft and demanded 30 BTC — roughly $1.9M at current spot — before a stated leak deadline six days out. Confidence: high on the university statement, as-reported on the CMD attribution and demand.

What’s confirmed

  • Intrusion date. 2026-06-17, per MRU. Confidence: high.
  • Exfiltration. University statement: “our investigation has now shown that data within certain folders on the University’s ‘H drive’ was accessed and taken by an unauthorized actor.” Confidence: high.
  • Data class. H drive folders holding records on current and former students, employees, and other individuals. Sample material posted by the actor reportedly included passport scans. Confidence: as-reported.
  • Destructive follow-on. Attackers deleted the original H drive copies to disrupt recovery. The J drive was also deleted, though MRU reports no evidence it was accessed before deletion. Confidence: as-reported.
  • Regulatory notification. Reported to the Alberta Information and Privacy Commissioner and law enforcement. Confidence: high.
  • Support offered. Two years of credit monitoring and identity theft protection for currently employed staff and the previous five years of former employees. Confidence: high.
  • Operational impact. Online services, internet access, and internal systems disrupted through the recovery window. MRU projects several weeks to months to complete recovery. Confidence: as-reported.

What’s uncertain — treat accordingly

  • CMD Organization. Not a previously tracked ransomware or extortion brand in public reporting. Whether CMD is a rebrand, a first outing, or an affiliate posture is not established. Confidence: unconfirmed — treat the actor name as a self-assigned label, not a validated attribution.
  • Encryption vs. pure extortion. The public statement addresses exfiltration and destructive deletion; there is no confirmation from MRU of an encryptor deployed on production systems. The BTC demand and leak-clock pattern reads as data extortion regardless of whether an encryptor ran. Confidence: unconfirmed.
  • Initial access. Not disclosed. Confidence: unconfirmed.
  • Scope of records. MRU has ~11,560 students and 12,500 undergraduates on the current published headcount, plus staff over the past several years, but has not published a per-record count for what was in the H drive folders. Confidence: unconfirmed — do not treat institutional headcount as record count.
  • Whether the ransom will be paid. Not addressed in public statements. Confidence: unconfirmed.

What to do

  • Anyone in the current or former MRU community. Enroll in the credit monitoring MRU offers once the notice arrives. Treat any unexpected password-reset, refund, or “identity verification” email referencing MRU as suspect through the next several months — leaked passport and identity documents are the input to a long tail of downstream identity fraud, not a single event.
  • University IT peers. File-share network drives holding decades of departmental correspondence, credential documents, and scanned identity records are still the softest single target on a campus network. The MRU statement is worth reading against your own H-drive equivalent — what would come out, and who has been assuming for years that nobody would ever look in there.
  • Incident responders. Watch for CMD Organization posting to a leak site as the six-day clock expires. That is the signal a rebrand is being tested, and it will inform whether this is a first outing or a known crew under a fresh label.

Timeline

  • 2026-06-17 — intrusion date, per MRU.
  • ~2026-06-17 through 2026-07-08 — university systems disrupted through the investigation window; online services and internal systems affected.
  • 2026-07-08 — MRU publicly confirms data exfiltration from the H drive and notification to the Alberta Information and Privacy Commissioner. Two years of credit monitoring offered.
  • ~2026-07-14 — actor-stated leak deadline (six days from confirmation).

Filed as active incident, attribution as-reported. Update if CMD posts leak material, if MRU discloses initial access or a per-record notification count, or if law enforcement names the actor.

Found this useful? Share it.