University discovers online fraud
IT systems not compromised by incident
On Wednesday, August 23, MacEwan University discovered it had been the victim of a phishing attack. A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor.
While the eventual financial impact will not be known until an investigation into the incident is complete, more than $11.4 million of the funds has been traced to accounts in Canada and Hong Kong. These funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money. The status of the balance of the funds is unknown at this time.
“There is never a good time for something like this to happen,” said university spokesman David Beharry, “but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”
Immediately after discovering the fraud, the university began to pursue criminal and civil actions to trace and recover the funds. The Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and corporate security units of banks involved with the e-transfers are working to resolve the criminal aspect of the case.
After the fraud was discovered, the university immediately conducted an interim audit of business processes, and controls were put in place to prevent further incidents. The investigation will determine the permanent business process controls that will be implemented.
The university’s Internal Audit group has engaged external expertise to assist in an extensive multifaceted investigation that has already commenced. Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed. Final results of the review are expected within a few weeks.
Key stakeholders have been advised of the incident and MacEwan has informed both the Minister of Advanced Education and the Office of the Auditor General about the situation.
In order to protect the integrity of the ongoing criminal investigation and civil actions, the university will not be making additional statements at this time. Information will be released as it becomes available.
Any updates will be posted on this web page.