[
Students at the College of New Caledonia (CNC) in Prince George may have had their personal information compromised in a months-long data breach.
Cybersecurity experts say it is emblematic of wider cybersecurity problems within educational institutions that can pose serious risks to students’ personal information.
In a letter sent to students in July, the college says that on March 5, 2025, they learned an unauthorized individual gained access to their online systems, but the individual may have had access to this information on or before Oct. 31, 2024.
The college says that as soon as it learned of the breach, it immediately engaged a team of security experts, including legal counsel, to secure systems and conduct a full investigation into the cause and scope of the incident.
CBC News has asked the college for clarification on when it discovered personal data had been breached and how long it took for students to be notified. The college’s communications department says it is putting together a timeline in consultation with an outside firm it has engaged to help manage the breach.
The letter says the breach may have involved information that includes students’ names, phone numbers, College of New Caledonia account usernames and cleartext and hashed passwords, student IDs and email addresses.
“This incident demonstrates how even small leaks from academic institutions can have long-lasting effects,” said cybersecurity researcher Bob Diachenko.
These can be helpful measures for any citizen who wants to protect your privacy.
He says five months of potential exposure increases the likelihood of undetected malicious activity, and that storing cleartext passwords, where the password is not encrypted and is therefore easily readable, is unacceptable in modern cybersecurity.
The college says it notified the RCMP and the B.C. privacy commissioner on July 7 and immediately engaged a team of security experts, including legal counsel, to secure systems and conduct a full investigation into the cause and scope of the incident.
But researchers in the field of cybersecurity say that may not be enough, and educational institutions need to take better measures to protect student data.
Educational sector a prime target for cyber attacks
Claudiu Popa, the co-founder of Canada’s Cyber Safety Foundation, says the educational sector is one of the most targeted in Canada.
“They aggregate a lot of very juicy and valuable personal information on students, on people who will be around for decades, on individuals who are going to be participating in the economy, and that is very valuable.”
Popa says email addresses are one of the most valuable things that can be stolen or leaked, as educational institutions often store separate email addresses where they can alternatively contact students.
“In those cases, that’s very valuable because it can be used for identity theft, phishing, impersonation, intimidation, extortion, and a variety of things.”
He also advises students to file their own report with the privacy commissioner to ensure that their information is recorded and they get updates on the breach.
CNC is providing students with one full year of free credit monitoring services and identity protection services from TransUnion Canada and myTrueIdentity.
The college says it has no evidence any information was misused, but is warning students to be vigilant for any potential signs of identity fraud and suspicious activity on their accounts.
However, Popa says most cyber criminals don’t even bother using the data in the first year, as cellphone numbers and email addresses typically don’t change over time.
“It’s a cool-down period. It’s like when car thieves will drive away in a car, they will park it in a lot and leave it there for three, four or five days.”
He says on average, it takes 287 days to detect a data breach and an additional 45 days to clean it up, but many data breaches at educational institutions fly under the radar.
“Hackers typically break in so easily into educational institutions that they rarely leave a trace, so most data breaches and security incidents we never hear about. Sometimes you hear about it if you are a student at that institution, but for the most part, they don’t even get publicly reported.”
The college says it has taken steps to prevent a similar event from occurring in the future by continuing to improve its information security technology and practices and enhancing training.
CNC says the incident had no impact on operations, and classes continue unaffected for students and employees.
They did not answer questions about how many students were impacted or the costs associated with managing the breach.