Cyber-Incident and network updates

College notifies staff and students of privacy incident

On Monday, January 9, Okanagan College responded to an incident in which an unauthorized entity gained access to certain Okanagan College technology systems. As soon as the intrusion was detected, the College took steps to contain the incident and engaged cybersecurity experts to assist with the response and investigation.

In the course of the initial investigation, it was determined that certain information belonging to current students and employees may have been subject to risk as a result of the incident. Out of an abundance of caution given the early stage of the investigation, on January 23, 2023 all current students and current employees were notified of the incident and provided with supports.

Current students (Jan. 2023) should read the NOTIFICATION OF PRIVACY INCIDENT (Jan. 23, 2023).

Current employees (Jan. 2023) should read the NOTIFICATION OF PRIVACY INCIDENT (Jan. 23, 2023).

Update – June 2023

In June, 2023, as part of the ongoing investigation into the cyber-incident, Okanagan College is extending credit monitoring and identity theft protection services to an additional group of individuals mostly comprised of some of our former staff and former students.

Those individuals will be notified by direct mail, with a letter that provides additional information and instructions for accessing credit monitoring services that are being provided by the college.

Please note, these letters are not being sent to anyone who was a current student or employee in January 2023. Current students and employees have already been notified and as noted above, can continue to access the credit monitoring and identity theft services. (Instructions below under Questions and Answers.)

Access to myOkanagan

Individuals who accessed College services through myOkanagan before January 2023 may have difficulty logging in if you have not entered your login and password recently. If this is the case for you, please contact: IT Helpdesk

If you have a question about the cybersecurity incident that is not addressed by the Questions and Answers below, please contact cyberincident@okanagan.bc.ca.

Questions? Please see cyber-incident FAQs or contact cyberincident@okanagan.bc.ca.

Cyber-incident FAQs

On Monday, January 9, 2023, Okanagan College responded to an incident in which an unauthorized entity gained access to certain Okanagan College technology systems.  The College responded by immediately shutting down and disabling network access across all of our campuses. We engaged external cyber-security experts to assist in our investigation of the incident and restoration of our IT systems, both of which are active and ongoing.

Upon discovery of the incident, we took immediate steps to secure our IT systems and out of an abundance of caution issued a public statement on January 11, 2023, to our students and staff. We immediately launched an investigation with a leading third-party cyber forensic services firm.

We notified the RCMP, the Office of the Information and Privacy Commissioner for British Columbia, and the Canadian Centre for Cyber-Security, whose collective recommendations we have followed throughout this process.

On January 23, 2023, we issued notification to current students and employees of the incident. The notification included information about how to access credit monitoring services and steps to take to their protect personal information.

We immediately initiated a comprehensive forensic investigation with the assistance of cyber-security experts. Within a short time of launching the investigation, there was evidence that suggested certain information, including information belonging to some current students and employees, was potentially subject to risk. Out of an abundance of caution, we decided to notify and extend credit monitoring and identity theft protection services to all current students and staff as of January 2023.

Our investigation is ongoing. As there is evidence to determine that the sensitive information belonging to specific individuals, beyond those people who have already been notified, may be at risk, we will contact those people directly and provide access to appropriate supports.

As a matter of best practice, we recommend that you remain vigilant, as always, to the possibility of fraud and identity theft by reviewing your financial statements and accounts regularly for any unauthorized activity. We encourage you to notify any credit card company(ies) and financial institution(s) where you have accounts, as they may have additional advice for you to consider.

Monitor your account statements for unusual activity or discrepancies and report them to your credit card company(ies) and financial institution(s). Please note that most credit card companies and financial institutions give you a limited amount of time (often, but not always, 30 days) to review your statements and dispute any unauthorized charges with them. You should also notify your local law enforcement of any suspicious activity.

The ongoing investigation into the cyber-incident experienced by the College involves reviewing and determining what folders, files and information may have been at risk of compromise at the time of the cyber-incident. This is not limited to the information that was published online by the perpetrators of the cyber incident; it extends to all files they may have accessed on the Okanagan College computer network.

In January 2023, out of an abundance of caution, current students and current employees were notified of the incident and that their information may have been at risk, and they were provided access to credit monitoring and identity theft services.

Where it has been identified that information belonging to individuals beyond current students and current employees may have been at risk, we are notifying those individuals directly.

Where our investigation determines that sensitive information belonging to people such as former students, former employees or other individuals may be at risk, we are notifying them directly, by mail. These personal notification letters will outline recommended next steps/supports as appropriate.

We certainly understand and appreciate your concern. Please know that our efforts to determine precisely what information may have been affected continues to be a top priority in our ongoing investigation.

On January 23, 2023, we proactively notified current students and employees of the College and provided access to credit monitoring services out of an abundance of caution.

Where the investigation determines that information belonging to individuals who were not current students and employees in January may have been at risk, the College will notify those people directly and provide access to appropriate supports.

If you have not received a direct notification, it indicates that at this point, your information has not been identified as being at risk from the Okanagan College cyber-incident. If you have reason to believe otherwise, please email cyberincident@okanagan.bc.ca

It is unfortunately not possible, given the complexity of this incident. As per our notification on January 23, 2023, current students and employees as of that date should work under the assumption that any personal information provided to the College was subject to risk, and they should act accordingly.

If and when the investigation determines that sensitive information belonging to individuals other than current students or current employees may have been at risk, we will notify those individuals directly.

Yes. Anyone who was a current student and/or employee in January 2023 was included in the notification the College sent out on Jan. 23, and which is posted on the OC website.

To activate myTrueIdentity:

  • Obtain your unique Activation Code by contacting TransUnion at 1-833-806-1882. This is a dedicated phone number for Okanagan College.

Note: Call centre hours are Monday – Friday, 6:00 am to 3:30 pm PST, excluding statutory holidays. You will be asked questions to confirm that you were an active student or employee in January 2023, including your name and student/staff number (300- number).

  • Activate your account with your unique activation code immediately, by visiting https://www.mytrueidentity.ca
  • When activating your account, you will also need to provide TransUnion with your name, address, email address, date of birth, and SIN (optional), as well as answer certain authentication questions so that TransUnion can verify your identity and correctly link to your credit file.

No. Out of an abundance of caution, current students and current employees were notified on January 23, and are encouraged to follow the steps to take advantage of the credit monitoring and identity theft protection services that were offered at that time. Nothing that has been discovered during the investigation since that time changes the nature of the advice and support that was offered previously.

Not at this time. At this stage, College is providing access to credit monitoring and identity theft protection services to individuals where the investigation to this point has indicated their sensitive information may have been at risk. In many cases, these are past students or past employees, but we currently have no evidence to suggest that all past students or past employees were impacted.

The investigation is complex and it is ongoing and it is not possible to predict with certainty. If the evidence determines that additional notifications are required, the College will act accordingly. OC remains committed to providing students, staff and the broader OC community updates as we are able.

The College is using different resources and services to identify and confirm mailing addresses. In many cases, OC has this information and is taking steps to verify it where possible. In situations where addresses are missing, we are making best possible efforts to work with external partners and agencies to confirm that information. This work is being done in consultation with the Office of the Information and Privacy Commissioner for British Columbia to ensure that any

information sharing between the College and our external partners and agencies is appropriate, limited to what is strictly necessary, and carried out in a privacy-protective manner.

No. Only certain former students and employees are believed to be affected, and we are notifying those individuals directly. If you have not received a direct notification, it indicates that at this point, your information has not been identified as being at risk from the Okanagan College cyber-incident. If you have reason to believe otherwise, please email cyberincident@okanagan.bc.ca.

In Canada, there is no credit monitoring product that is offered to minors because you do not have a credit history that can be monitored, as you must be the age of majority to obtain credit in Canada (18+).

Possibly. Your citizenship or where you are from does not impact whether or not you are eligible for credit monitoring services in Canada. Non-Canadians may be eligible for credit monitoring if they have a sufficient Canadian credit file that can be monitored.

Your Canadian credit history is created when you borrow money or apply for credit from a Canadian lender. Your credit history is a record of how well you manage credit and how risky it would be for a lender to lend you money.

If you have not borrowed money or managed credit for very long in Canada, you may not have enough credit history for TransUnion to extend credit monitoring services to you. If this is the situation, they will tell you that you are not eligible for credit monitoring.

If you know that you have not taken out any loans or applied for and accessed credit in your own name from a Canadian lender, you will most likely not have a Canadian credit file. If that is the case, please contact cyberincident@okanagan.bc.ca so that we can determine what options may be available to you.

In Canada, when an individual applies for credit, the organization accepting the application may send an inquiry to either TransUnion or Equifax, or both, to assess the individual’s creditworthiness.

If the organization approves the individual’s application for credit, it will report its decision to extend credit to both TransUnion and Equifax.

If you have registered for the myTrueIdentity credit monitoring services, you will receive a notification when credit has been approved under your name, giving you a chance to intervene. If the application inquiry was through TransUnion you may also receive a notification at that time.

In the event you do not intervene in time to prevent the credit from being granted to someone who is trying to steal your identity, identity theft insurance and support is available through your myTrueIdentity services to assist you in recovering your identity and fixing your credit report.

The College is offering current students and current employees, as well as other impacted individuals including some but not all former students and former employees, two-years of credit monitoring through TransUnion’s myTrueIdentity services.

There are many trusted sources available for people who may have been impacted by any information breach to consider and use to determine their next steps. They include the RCMP, the Canadian government, the Office of the Information and Privacy Commissioner for British Columbia, the CRA, etc.

Individuals may choose to contact either or both of Canada’s two main credit reporting agencies to have an Identity Alert (Equifax) or Fraud Warning (TransUnion) added to your credit report.

(Please note: Equifax has an additional option where it will add a Fraud Alert to your credit report, IF you are a confirmed victim of identity theft, meaning that you have evidence that someone else has actually tried to use your identity to obtain credit in your name.)

Contact Canada's main credit reporting agencies to have an identity alert added to your credit report. 

  • TransUnion Canada (1-866-525-0262, Québec 1-877-713-3393) 
  • Equifax Canada (1-800-465-7166)

No. Service Canada does not issue a new social insurance number to individuals who are potentially affected by a data breach.

You should notify the CRA if you have reason to believe someone else is actually using your social insurance number. An example of this would be if you receive a Notice of Reassessment for undeclared earnings – it may mean that someone else used your SIN to work or receive taxable income.

For detailed information on the steps to follow if you suspect someone is using your SIN: https://www.canada.ca/en/employment-social-development/programs/sin/pro…

If you have reason to believe that you have been a victim of fraud or identity theft, whether or not you think it relates to the Okanagan College cyber incident, we urge you to contact your local police, and to notify any financial institutions you have a relationship with. If you have activated the myTrueIdentity credit monitoring and identity theft protection service,

you may also wish to contact a CyberScout personal fraud specialist first, as they can assist you with making all other notifications. To contact a CyberScout personal fraud specialist, please call 1-833-806-1882. You can also contact the Canadian Anti-Fraud Centre at 1-888-495-8501 or online at https://www.antifraudcentre-centreantifraude.ca/index-eng.htm.

Please note, we have notified the Office of the Information and Privacy Commissioner for British Columbia of this incident and they are investigating the matter. If you would like to receive information from or file a complaint with the Office of the Privacy Commissioner for British Columbia, please contact info@oipc.bc.ca.

The dark web is not considered safe to access by the public and you could be exposing yourself to risk by attempting to access it.

Unlike the (regular) web we use for things like news, shopping, and social media, the dark web is part of the internet that is not indexed by search engines. This means you can’t search the dark web on Google, for example. It can only be accessed with special web browsers and is not considered safe to access unless you are familiar with the threats it presents.

The dark web allows cybercriminals to browse, sell, or trade on dark websites with confidence and complete anonymity. It also has a highly layered encryption system, which means hackers can communicate without giving away their location, IP address, or identity.

You may not know if your information is included in any privacy breach, and you may already be the victim of a number of both disclosed and undisclosed cyber-incidents. That is why it is important for everyone to be vigilant and take steps to protect their personal information at all times, whether or not you have received a notification from Okanagan College.

No, we do not recommend this. The dark web is not considered safe to access by the public and you could be exposing yourself to risk.

To learn more about what you can do to protect yourself, and what do to do if you believe your personal information has been misused, we encourage you to visit trusted sources, such as the website of the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/en/privacy-topics/identities/identity-theft/guid….

It would be more accurate to call the incident a double extortion attack.

It is now abundantly clear that the intended purpose of the attack was to both steal data and encrypt our IT infrastructure to extort the college. Unfortunately, this type of attack is now extremely common, and these particular hackers are known to specifically target educational institutions.

We did not entertain conversations about paying a ransom. Regardless of the amount, even if we had paid a ransom, there still would have been no way to be absolutely certain that it would have resulted in the destruction or even non-publication of any stolen or compromised data.

Support for students and employees

If you need support:
Students can access a wide range of support through Student Services, including Counselling Services. To book a counselling appointment, visit the Counselling Services booking page. Students can also access mental health support 24/7 through the Province of BC’s Here2Talk page. 

Employees can access support, including Counselling and other online services, through the College’s EFAP (Employee and Family Assistance Program) Homewood Health. Log into your Homeweb account at www.homeweb.ca or download the mobile app at www.homeweb.ca/app. More information is available at www.okanagan.bc.ca/efap. If you have any questions, please reach out to your Pension & Benefits Coordinators at: benefits@okanagan.bc.ca.