MacEwan University has reported it was the victim of a phishing attack in August that resulted in the transfer of $11.8 million to the alleged perpetrator.
MacEwan University said in a statement on Thursday that it discovered the fraud on Aug. 23. “A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors,” the release said. “The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor.”
While the eventual financial impact will not be known until an investigation into the incident is complete, more than $11.4 million of the funds has been traced to accounts in Canada and Hong Kong, the university reported. These funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue “civil action” to recover the money, the statement said, adding that the status of the balance of the funds is unknown at this time.
The Canadian Press reported on Thursday that three university staff members made three payment to the bogus account over a nine-day period ending Aug. 19. The university paid out $1.9 million, $22,000 and then $9.9 million. “The university did not realize what had happened until days later when the vendor called asking to be paid,” the Canadian Press said.
“There is never a good time for something like this to happen,” MacEwan spokesman David Beharry said in the statement, “but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”
The university reported that immediately after discovering the fraud, the university began to pursue criminal and civil actions to trace and recover the funds. The Edmonton Police Service, law enforcement agencies in Montreal and Hong Kong, and corporate security units of banks involved with the etransfers are working to resolve the criminal aspect of the case.
MacEwan University is also conducting an interim audit of business processes “and controls were put in place to prevent further incidents. The investigation will determine the permanent business process controls that will be implemented,” the statement said, noting that the university’s internal audit group has engaged external expertise to assist in an extensive multifaceted investigation that has already commenced. “Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” the statement said.
Final results of the review are expected within a few weeks.
Key stakeholders have also been advised of the incident and the university has informed both the Minister of Advanced Education and the Office of the Auditor General of Alberta.