Yibin Xu, a 19-year old University of Alberta student, is facing charges after malware was installed on more than 300 university computers last semester.
Last November and December, malware, a type of malicious computer program, potentially affected 3,323 individuals with campus computing IDs (CCIDs). All individuals at risk had to reset their passwords, and university chief information security officer Gordie Mah said no one’s information has been compromised so far.
“The intent of (malware) may be to gain control of a computer, destroy information, or it maybe intended to steal information,” Mah said.
The university first detected malware on 304 computers on November 22, and the next day an email was sent to 3,304 CCID-holders who were potentially affected — that is, anyone who had logged into a computer on which malware was installed. A second wave of malware affected 17 computers on December 8, affecting 19 individuals. All of those who were emailed were required to change their passwords.
The malware found last month was designed to harvest the university’s primary ID and passwords, which Mah called the “gateway” to the U of A’s email and academic system. Such information can allow hackers access to one’s financial and personal information.
“The potential of risk (from the malware) is high if left unattended and if password changes aren’t conducted,” he added.
All computers affected were located in the Centennial Centre for Interdisciplinary Science, the Computing Science Centre, and the Library Knowledge Commons. All malicious programs were removed and no more has been found, according to Mah.
“There’s no indication to date that there’s any imminent threat,” he said.
Information Services and Technology will continue to monitor university computers in the future. On an individual basis, Mah said CCID-holders can defend themselves against malware by selecting strong passwords, not using the same password for multiple accounts, and not opening attachments or links in suspicious emails.
“That awareness will often buy you more than technical controls,” he said.
Xu will face charges of “mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system, and use of a computer system with intent to commit an offence,” according to a media release from the Edmonton Police Service (EPS). The student’s next court appearance is on January 10.