On July 7 and 8, 2026, Mount Royal University in Calgary told its community what three weeks of forensic work had established about the cyberattack it detected on June 17: an unauthorized actor breached the university’s network, stole data from folders on the “H drive” — the personal file storage system used by current and former students and employees — and then deleted the original copies to impede recovery. The attacker also wiped the university’s “J drive,” which held departmental data. For the J drive, MRU says there is no evidence the data was accessed or copied before it was deleted — and that a full recovery may not be possible.

Read that sequence again, because it inverts the pattern compliance teams have spent a decade preparing for. This was not encryption with a decryptor for sale. It was not quiet exfiltration discovered months later. The attacker took the data, then destroyed the university’s own copy of it — converting a confidentiality incident into a simultaneous confidentiality, availability, and integrity failure in a single operation.

The extortion group calling itself the CMD Organization claimed the attack, published samples of allegedly stolen data — including passport scans — and demanded 30 BTC (roughly US$1.9 million) with a six-day deadline before releasing what it claims is more than 10 terabytes of material. MRU has reported the incident to the Office of the Information and Privacy Commissioner (OIPC) of Alberta and to law enforcement, and is offering two years of credit monitoring to current employees and anyone employed within the past five years. Students, notably, have not been offered monitoring. The university, which serves roughly 11,560 students, says the recovery will take weeks to months and has declined to comment on any negotiations.

This article works through why “stolen then deleted” is a categorically harder compliance problem than either theft or encryption alone — and what the Canadian legal framework, and every major security standard, actually demands of organizations facing it.

What Happened: The Timeline and the Two Drives

The verified facts, drawn from MRU’s statements and independent reporting:

  • June 17, 2026 — MRU detects a cyber incident and begins shutting down affected services, including online services, internet access, phones, and parts of its website.
  • June 18, 2026 — The university notifies its community that an incident has affected certain systems and services, and engages external cybersecurity experts.
  • July 7–8, 2026 — MRU confirms the data breach: specific folders on the H drive (individual file storage for students and employees) were accessed and copied by the attacker, and the originals deleted. The J drive (departmental data) was erased, with no current evidence of prior exfiltration. Restoration of deleted J drive data is underway, but the university concedes full recovery may not be achievable.

The data types at risk reflect what a university file share accumulates over years: academic files, grading records, professional employee files, digital media, and whatever personal information individuals chose to store in their own folders — a category the university itself cannot inventory, because it never controlled what people saved there. The attacker’s leak samples, which include identity documents, suggest at least some of that uncontrolled personal storage was sensitive.

The CMD Organization is a newer entrant in the extortion economy — researchers note that only a handful of its 32 claimed attacks have been independently confirmed — operating auction-style data sales across clear-web and dark-web portals. Whether MRU’s attacker deployed encryption anywhere in the environment is not publicly confirmed; what is confirmed is that deletion, not encryption, was the recovery obstacle, and the stolen copy was the extortion leverage.

Why Destruction Is Different: The Scoping Problem

Most breach-response playbooks are built on an implicit assumption: the victim still has the data. You image the systems, compare access logs against the data at rest, enumerate the records the attacker touched, and map affected individuals to notification duties. Every step of that process assumes the haystack still exists.

Destructive attacks remove the haystack. Three consequences follow, and MRU is living all of them:

1. You may not be able to determine what was taken. MRU’s own disclosure acknowledges that its understanding of the data’s scope “continues to evolve.” If the authoritative copy of a file share is gone, reconstructing what it contained depends on backups, file-system metadata, storage snapshots, and logs — each of which may be incomplete, and some of which the attacker may also have destroyed. The organization is left proving a negative from fragments. When the attacker then publishes samples, the victim can be in the humiliating position of learning the contents of its own systems from the criminal’s leak site.

2. The forensic evidence and the operational recovery compete for the same artifacts. Restoring service quickly means rebuilding storage; preserving evidence means freezing it. In an encryption event, the ciphertext at least sits still while you decide. In a deletion event, every recovery action — restoring from backup, rebuilding volumes, un-deleting at the file-system level — risks overwriting the residual data that forensics needs to establish what the attacker accessed.

3. Destruction is itself a reportable harm — even without proof of theft. This is the point organizations most often miss, and MRU’s J drive is the perfect illustration. There is currently no evidence the J drive’s contents were exfiltrated. But the data is gone, and both of Canada’s relevant breach regimes are triggered by loss of personal information, not only by unauthorized access or disclosure. An organization that treats “no evidence of exfiltration” as “no breach” is misreading the statute. If personal information a public body was obliged to safeguard has been destroyed — including information individuals needed, like academic records or employment files — the availability failure can independently constitute a real risk of significant harm.

The scoping problem also poisons the notification analysis in a subtle way. Canadian regimes require notice to affected individuals when there is a real risk of significant harm. But if you cannot enumerate what the deleted-and-stolen share contained, you cannot cleanly enumerate who is affected. The defensible answer — and the one MRU appears to be converging on with its broad credit-monitoring offer to five years of employees — is to notify to the outer boundary of what the system could have contained, not the inner boundary of what forensics has confirmed. Under-notification based on incomplete evidence you allowed the attacker to destroy is not a position any organization wants to defend before a commissioner.

The Canadian Framework: POPA, PIPA, and PIPEDA

Canadian breach law is a patchwork, and getting MRU’s position right requires precision, because the statute that actually governs it is barely a year old.

Alberta’s Protection of Privacy Act (POPA) — the statute that governs MRU. Mount Royal is a public post-secondary institution, which makes it a public body under Alberta law. Until 2025, public bodies were governed by the FOIP Act, which had no mandatory breach reporting at all. That changed on June 11, 2025, when POPA came into force and replaced FOIP’s privacy provisions. Under POPA section 10(2), a public body must notify affected individuals, the Information and Privacy Commissioner, and the responsible Minister where the loss of, or unauthorized access to or disclosure of, personal information creates a real risk of significant harm (RROSH) to an individual. Note the first word of the trigger: loss. Deleted data is lost data. POPA also raised penalties dramatically — up to $1 million for organizations, against FOIP’s old $10,000 cap — and its privacy management program requirements took effect June 11, 2026, days before the MRU attack began. MRU’s report to the OIPC of Alberta is this obligation in action: the university is among the first major test cases of Alberta’s new public-sector breach regime, in almost the hardest fact pattern the regime could face.

Alberta PIPA — the private-sector sibling. Organizations that are not public bodies — private colleges, edtech vendors, the contractors and service providers surrounding every university — fall under Alberta’s Personal Information Protection Act, which has required breach reporting to the Commissioner since 2010 using the same real risk of significant harm standard. Under PIPA, the organization reports to the OIPC, and the Commissioner decides whether and how individuals must be notified — a structural quirk unique to Alberta. Any private-sector service provider entangled in an incident like MRU’s must run its own RROSH analysis rather than assuming the public body’s notification covers it.

PIPEDA — the federal baseline. For organizations engaged in commercial activity across most of Canada, PIPEDA requires reporting to the Office of the Privacy Commissioner of Canada and notification to individuals as soon as feasible where a breach of security safeguards creates a real risk of significant harm. Critically for the destructive-attack analysis, PIPEDA defines a “breach of security safeguards” as “the loss of, unauthorized access to or unauthorized disclosure of personal information” — loss, again, leading the list. PIPEDA also requires organizations to keep records of every breach, RROSH or not, for two years. A national organization suffering an MRU-style attack would face PIPEDA plus Alberta PIPA plus Quebec’s Law 25 in parallel, a multi-regulator exercise we mapped in the context of the Oracle PeopleSoft zero-day wave.

RROSH and the destruction factor. The RROSH assessment weighs the sensitivity of the information and the probability of misuse. Stolen passport scans and employee files clear the bar trivially. But destructive attacks add a dimension the standard guidance barely addresses: the harm from unavailability. A student whose only copy of academic work is gone, an employee whose HR records cannot be reconstructed, a department whose operational files never come back — these are real harms flowing directly from the “loss” limb of the statute, and they exist whether or not the attacker ever publishes anything.

Universities carry sector-specific weight on top of this. They hold decades of alumni records, research data subject to granting-agency and ethics-board conditions, immigration documents for international students (hence the passport scans), and health information from campus clinics that may engage Alberta’s Health Information Act separately. The education sector’s attractiveness to extortion crews is not hypothetical — Moody Bible Institute’s ShinyHunters breach showed the same dynamics under the US framework earlier this year, and universities were the most numerous victims of the PeopleSoft campaign.

Backups Are a Compliance Obligation, Not an IT Preference

The MRU attacker deleted data specifically to impede recovery — which means the attack was, among other things, a direct assault on the university’s backup and resilience posture. That posture is not merely good practice. Across every major framework, it is an auditable obligation:

ISO/IEC 27001:2022 addresses it from three directions. Control A.8.13 (Information backup) requires backup copies of information, software, and systems to be maintained and regularly tested in line with an agreed topic-specific policy. Controls A.5.29 and A.5.30 require information security to be maintained during disruption and ICT readiness for business continuity — the organization must know its recovery time and recovery point objectives and be able to hit them. An organization that discovers mid-incident that “a full recovery may not be possible” has, in audit terms, just failed a live test of A.8.13.

NIST CSF 2.0 elevates the same idea through its Recover function — recovery planning (RC.RP) and incident recovery communications — while PR.DS in the Protect function covers maintaining and verifying backups. CSF 2.0’s addition of the Govern function makes the point sharper: recovery capability is a governance outcome that boards are expected to oversee, not a server-room detail.

The 3-2-1 rule has hardened into a regulatory expectation. Three copies of data, on two different media, with one copy offsite — and, in the modern formulation, at least one copy offline or immutable, because attackers who intend to delete your data will reach your online backups first. CISA’s ransomware guidance, the Canadian Centre for Cyber Security’s baseline controls, and sector regulators from OSFI to state insurance regulators under the NAIC Model Law all articulate versions of the same expectation. When the OIPC of Alberta examines whether MRU made “reasonable security arrangements” — the safeguards standard in POPA, as in PIPA and PIPEDA — the questions will include: Were the file shares backed up? Were the backups isolated from the credentials the attacker held? When were restores last tested? The J drive’s uncertain recovery suggests at least one of those answers was uncomfortable.

The deeper design lesson is about blast radius. A network file share writable by thousands of students and staff, and deletable by whatever access the attacker escalated to, is a 1990s architecture holding 2026 data. Immutable snapshots, versioned object storage, and backup systems that authenticate separately from the production domain exist precisely so that a single compromised access path cannot both read and destroy the institutional record.

Deletion Is the New Encryption

MRU is not an isolated data point; it is a marker in a trend line. Encryption-based ransomware is operationally expensive for attackers — encryptors get fingerprinted, decryptors fail and destroy the “trustworthy counterparty” fiction, and endpoint tooling has gotten genuinely good at catching mass encryption in progress. The extortion economy has been migrating toward exfiltration-only operations for years — ShinyHunters’ entire 2026 campaign has run on theft and leak-site pressure, without an encryptor in sight.

Steal-then-delete is the next step in that migration, and it is more coercive than either predecessor. Pure exfiltration leaves the victim operational: you can refuse to pay, notify, and absorb the leak, as many victims of the West Pharmaceutical Services ransomware breach era learned to do. Encryption at least implies a decryptor. Deletion offers the victim a uniquely ugly proposition: the criminal now holds the only complete copy of your data. Pay, and you are ransoming back your own availability, not just suppressing a leak. Refuse, and the data is both published and permanently lost to you. For attackers, deletion is also cheaper and faster than encryption — rm at scale requires no cryptographic infrastructure at all.

For compliance teams, the trend has a concrete implication: incident-response plans and tabletop exercises built around “encryption event” and “exfiltration event” scenarios need a third scenario, in which scoping data no longer exists on your systems, recovery depends entirely on backup integrity, and the notification analysis must proceed from what systems could have contained rather than what logs confirm was touched.

What To Do Now: A Checklist

For universities and any data-rich organization, the MRU incident converts into specific, assignable work:

  • Verify the 3-2-1-1 posture on your file shares this month. Three copies, two media, one offsite, one immutable or offline — and confirm the backup platform does not trust the same identity provider the attacker will compromise. Test an actual restore of a file share, at scale, and time it.
  • Map your “uncontrolled personal storage.” Personal drives, home directories, OneDrive/Google Drive tenants — systems where individuals store data the institution cannot inventory. Set retention limits, quota policies, and sensitivity scanning, because in a breach you will be asked what was there, and “we have no idea” is now a documented liability.
  • Rewrite the breach-scoping playbook for destruction. Ensure snapshots, file-system journals, and access logs are retained off-platform so that deletion of primary storage does not also delete your ability to scope the incident. Log retention is forensic insurance.
  • Treat “loss” as a notification trigger. Update RROSH assessment templates so that destruction of personal information — even without evidence of exfiltration — is analyzed as a potential harm in its own right. Alberta public bodies should confirm their POPA section 10 procedures and their June 2026 privacy management program obligations are actually operational.
  • Pre-map the regulator matrix. Alberta public bodies: OIPC plus the Minister plus individuals. Private organizations in Alberta: OIPC under PIPA, with the Commissioner directing individual notice. Federally regulated or multi-province: PIPEDA’s OPC filing and two-year breach records, plus Quebec’s CAI where applicable. Decide now who drafts and who signs.
  • Tabletop the steal-then-delete scenario. Include the specific decision MRU faced: the criminal holds the only complete copy. Establish in advance — with counsel and leadership — how ransom-for-availability differs from ransom-for-suppression in your decision framework, and what your position is when backups turn out to be partial.
  • Decide the notification boundary philosophy in advance. When scope cannot be confirmed, will you notify to the outer boundary of possible exposure? MRU’s five-year employee monitoring offer reflects that logic; its silence on students shows how contested the line can be.

Conclusion

Mount Royal University’s disclosure is careful, staged, and — by the standards of breach communications — reasonably candid about an unusually bad fact pattern: the attacker took the data, destroyed the originals, and left the university negotiating with the only party holding a complete copy, while a second drive may never fully return. It is also one of the first major stress tests of Alberta’s new public-sector breach regime, arriving one year almost to the day after POPA’s breach-reporting duty took effect.

The strategic lesson generalizes well beyond Calgary. The industry spent a decade retooling for confidentiality breaches — leak sites, notification statutes, credit monitoring — and attackers responded by attacking availability as well, because destruction is cheap and the leverage is total. The organizations that will ride out the steal-then-delete era are the ones that treat backup integrity, immutable copies, and off-platform forensic evidence as compliance obligations with owners and test dates — because when the primary copy is gone, everything else in the response, from the RROSH analysis to the regulator filing to the letter each affected person receives, stands on whether the second copy survived.

The attacker deleted the data to impede recovery. That is the adversary telling you, in plain language, which of your controls it fears. Fund that control accordingly.

Sources: BleepingComputer — Mount Royal University confirms breach as hackers claim attack, SecurityWeek — Mount Royal University Confirms Data Stolen in Ransomware Attack, LiveWire Calgary — Mount Royal University hit by ransomware attack on student and staff files, CBC News — Mount Royal University ransomware attack compromised student, employee data, OIPC of Alberta — Breach Notification Requirements, OIPC of Alberta — Protection of Privacy Act (POPA) Overview, Gowling WLG — Alberta overhauls public-sector privacy and access to information law

This article is provided for informational purposes only and does not constitute legal advice.