Calgary’s Mount Royal University confirmed July 7 that a ransomware group broke into its shared file storage, stole data belonging to students and staff, and then deliberately deleted the original files — a tactic that eliminates recovery options even for institutions with backup systems. The group, called CMD Organization, has since claimed responsibility, published passport scans as proof, and set a roughly one-week deadline to pay 30 Bitcoin, approximately $1.9 million, before auctioning the stolen data to the highest bidder.
The university is offering two years of credit monitoring and identity theft protection to current and recently departed employees. Students, whose academic files and potentially personal documents were on the same compromised drive, are receiving no equivalent protection.
What Was Attacked and Why the Deletion Matters
The compromised system was MRU’s H drive, a shared network storage volume used by both students and staff for academic work — assignments, lesson plans, research materials — as well as personal files individuals had saved there. On July 7, the university disclosed that an unauthorized actor had accessed specific folders on the H drive, copied their contents, and then deleted the originals. Mount Royal University’s incident page
A second drive, the J drive, which holds departmental administrative data, was also wiped during the attack. The university said there is currently no evidence that J drive contents were accessed or copied before deletion, meaning that data may have been destroyed purely to inflict disruption rather than for extortion leverage. MRU says full recovery of the J drive may not be possible.
The deletion is what makes this attack categorically different from traditional ransomware. Conventional ransomware encrypts files and offers a decryption key in exchange for payment; organizations that have robust backups can often restore systems without paying. The delete-after-steal tactic eliminates that exit: the attacker’s copy is the only copy remaining. Any specific file that was on the H drive but was not independently replicated elsewhere is, as of July 7, irretrievably gone unless MRU pays and CMD Organization actually delivers a restoration — which published research on ransom payment guarantees makes no guarantee of.
As of July 9, the university says recovery of affected systems could take weeks to months.
Who CMD Organization Is — and How It Works
CMD Organization is a relatively new threat group, with infrastructure first surfacing in late March 2026. Beazley Security Labs, who responded to an early CMD Organization intrusion in April, documented the group’s approach in detail.
The group operates as a ransomware-as-a-service platform and likely sources initial access to victims from criminal brokers rather than conducting its own intrusions. In the MRU case, cybersecurity analyst Ritesh Kotak, commenting for CBC News, assessed that phishing was the most probable entry point — the same vector documented in attacks on dozens of other post-secondary institutions.
What distinguishes CMD Organization from other extortion groups is its monetization model. Most ransomware operators issue a ransom demand and threaten to publish stolen data if unpaid. CMD Organization operates a public auction platform — accessible on both the open web and the dark web — where stolen data is offered for competitive bids from any buyer. This means the MRU data could be sold to multiple parties, not merely threatened as a public leak. The group currently lists 32 organizations on its site; only four attacks have been independently confirmed, according to SecurityWeek.
Rebecca Moody, Head of Data Research at Comparitech, said the MRU demand stands apart even by CMD Organization’s own standards: the $1.9 million figure is nearly four times the group’s average ransom demand of $580,000. The group also claims to have taken more than 10 TB of data.
Students Left Out of Protection Measures
MRU is providing two years of credit monitoring and identity theft protection to all current employees and anyone who left the university within the last five years. The offer does not extend to students, whose H drive folders were part of the same compromised storage.
The university offered an explanation for the distinction. In a statement reported by CBC News, MRU said: “Corporate data about the university is primarily what’s at risk in the cyberattack” and that student information “does not present the same risk profile.”
That reasoning is difficult to sustain given what was published as proof of access. CMD Organization posted passport scans on its extortion site — and a passport belonging to a student carries the same identity fraud risk as one belonging to an employee. Government-issued identity documents, once exposed and published, create risks that are not meaningfully different based on the holder’s employment status.
Credit monitoring itself has limits worth noting. It tracks activity on financial credit accounts and provides after-the-fact detection; it does not prevent identity theft and does not address the specific risk created by passport or government ID exposure. For any individual — student or staff — whose passport or identification document was stored in an H drive folder, the immediate practical step is contacting the passport-issuing authority about potential fraudulent use, monitoring financial accounts independently, and remaining alert to social engineering or phishing attempts that could use their verified name, image, and ID number.
What Makes Delete-After-Steal Different From Standard Ransomware
The tactic CMD Organization used at MRU — exfiltrate, then delete — reflects a documented evolution in ransomware methods that has become the dominant approach among organized criminal groups in 2025 and 2026. Vectra AI
Traditional ransomware encrypted files in place. The introduction of double extortion — pioneered by the Maze ransomware group in 2019 — added a data theft component, meaning organizations faced both encrypted systems and the threat of data publication. The delete-after-steal variant strips out the encryption step entirely: the attacker takes the data, removes the victim’s copy, and the victim is left with nothing to decrypt, nothing to restore from (if the only copy was on the compromised drive), and an attacker who holds the only remaining version of that data.
By 2026, data exfiltration is present in approximately 96 percent of ransomware attacks, according to security research firm analyses. This means backups — while still a critical component of any security posture — are no longer sufficient on their own. An institution whose backup strategy covers system encryption but not the theft of shared-drive contents faces the same irreversible loss MRU is now dealing with.
The structural challenge for universities is well-documented. Post-secondary institutions depend on open, accessible, collaborative environments. Shared network drives are a standard part of that environment. The same architecture that lets students and professors exchange files freely also creates a single large target: one credential compromised through phishing can expose everything within reach of that account. Ransomware attacks against the education sector surged 69 percent from 2024 to 2025, according to cybersecurity firm SentinelOne.
Security professionals consistently recommend immutable, air-gapped backups — storage that cannot be modified or deleted by any network-connected process — as the only reliable defense against delete-after-steal attacks. Whether MRU had such backups in place for its H drive contents has not been disclosed.
Calgary Joins a Pattern Across Canadian Post-Secondary Education
MRU is not an isolated case. The attack follows ransomware incidents at Calgary Public Library in 2024 and at the Calgary Board of Education, which was caught in the high-profile PowerSchool data breach that exposed student records across multiple institutions.
Across Canada, higher education institutions have become consistent targets for financially motivated ransomware groups. The combination of sensitive personal and academic data, often limited cybersecurity budgets relative to their size, and structural pressure to restore operations quickly — since an unavailable university disrupts an entire academic calendar — makes them high-leverage targets. The Canadian Centre for Cyber Security has identified Akira, Play, and Medusa among the top ransomware-as-a-service threats currently facing Canadian organizations.
MRU has reported the incident to the Alberta Information and Privacy Commissioner under the province’s Protection of Privacy Act, which as of June 2025 replaced the prior Freedom of Information and Protection of Privacy Act as the governing law for public bodies, including universities. The university has also notified law enforcement, with Calgary Police confirming an investigation. Individual notifications to those whose folders were specifically compromised are expected to begin within the week following July 7.
MRU has stated it will not confirm specific discussions with the threat actor regarding the ransom demand.
What MRU Students and Staff Should Do Now
The publication of passport scans on CMD Organization’s extortion site means some MRU community members’ government-issued identity documents have already been made public. The appropriate steps for anyone who had personal identification stored in their H drive folder:
Contact the relevant passport or ID-issuing agency to flag the document as potentially compromised, which can trigger heightened scrutiny on any future use of that document for identity verification. Monitor bank, credit, and financial accounts directly — do not rely solely on MRU’s employee credit monitoring program if you are not an employee. Watch for targeted phishing messages that may use your real name, student or employee ID number, or other verified personal details to appear credible. Change any passwords associated with university systems, particularly if credentials were shared with other accounts or services.
The Alberta Information and Privacy Commissioner’s office is the appropriate contact for individuals who believe MRU has not met its notification obligations under POPA.
Frequently Asked Questions
What exactly did CMD Organization steal from Mount Royal University?
The group claims to have taken more than 10 TB of data from MRU’s H drive, which stored academic files, lesson plans, research materials, and any personal files that students and staff had saved there. CMD Organization published samples — including passport scans — as proof on its public extortion site. The university has confirmed data was taken and then the drive’s contents were deleted. Determining whose specific folders were affected is still ongoing and is expected to take weeks.
Why is MRU offering credit monitoring to employees but not to students whose data was on the same drive?
The university stated that “corporate data about the university is primarily what’s at risk” and that student information “does not present the same risk profile” as employee data. This distinction has drawn criticism, because passport scans and government-issued ID documents carry the same identity fraud risk regardless of the holder’s employment status at the institution. MRU has said it is continuing to assess the full impact and will notify affected individuals directly; students who believe their personal information was at risk can contact the Alberta Information and Privacy Commissioner’s office if they feel the university’s response is inadequate.
Does paying the ransom guarantee that CMD Organization will delete the stolen MRU data?
No. Ransomware payment does not guarantee data deletion or non-publication. A documented recent example: Change Healthcare paid approximately $22 million to the BlackCat/ALPHV group, which then exited without providing the promised deletion; a second affiliated group, RansomHub, subsequently attempted extortion using the same stolen data. CMD Organization uses an auction model, meaning any buyer — not just MRU — could bid on the stolen information, further reducing the reliability of a “pay and it disappears” outcome.
Could other Canadian universities face the same attack?
Yes — structurally, any post-secondary institution using broadly accessible shared network drives without immutable, air-gapped backups that are isolated from the connected network faces the same exposure. The delete-after-steal tactic is designed specifically to defeat backup-based recovery. Ransomware attacks on the education sector rose 69 percent from 2024 to 2025, and the education sector now averages more than 4,300 cyberattack attempts per institution per week. The MRU attack is a current instance of a documented, dominant ransomware methodology — not an anomaly.
