Calgary University: Hackers, Ransom Payment, and More

CALGARY — The University of Calgary paid hackers $20,000 CAD (roughly $15,000 USD) to unlock its systems after a ransomware attack. The kicker? They sat on the breach for ten days before going public.

University officials insist no personal data leaked during the attack. That's the official line, anyway—standing in sharp contrast to swirling, unverified claims about a former PhD researcher with alleged Iranian intelligence ties who supposedly accessed personal information on over 700 Calgarians. Those claims remain completely unsubstantiated.

The Money vs. The Message

Paying ransom is always a gamble. You're betting the attackers will actually hand over the keys and walk away clean. The university made that bet, then waited over a week to tell anyone about it.

Alberta's Freedom of Information and Protection of Privacy Act (FOIP) likely requires the university to file a formal breach report with the Office of the Information and Privacy Commissioner of Alberta (OIPC). Whether that report exists? Nobody's saying.

Foreign Threats, Local Targets

The timing is uncomfortable. The Canadian Security Intelligence Service (CSIS) has spent the past year warning universities that foreign actors—including Iran—are hunting Canadian campuses for intellectual property and tracking diaspora communities. In mid-2025, Public Safety Canada told universities to lock down sensitive research, especially in STEM fields.

The University of Calgary updated its Digital Strategy in Q2 2025, pumping resources into data security as cyber threats escalated. Now they're testing whether those upgrades were enough.

The university's Conjoint Faculties Research Ethics Board (CFREB) signs off on data security protocols for human research subjects. If this breach exposed vulnerabilities in those protocols, the fallout could be expensive. Think OIPC fines for FOIP violations. Think jeopardized federal research funding from Tri-Council Agencies (NSERC, SSHRC, CIHR). Think a cybersecurity budget under serious scrutiny.

What We Don't Know

No confirmation exists that CSIS or the RCMP's Integrated National Security Enforcement Team (INSET) is investigating foreign intelligence connections. No formal breach notification to the OIPC has surfaced publicly. And those claims about the Iranian-linked researcher and 700 compromised Calgarians? Unverified and unsupported by any available evidence.

The university maintains its investigation found "no indication that users' personal data or other university data was released to the public during this attack."

Whether students, staff, and the public buy that assurance is another question entirely. The university paid to make the problem go away. What remains to be seen is whether the problem actually left.