Important Notification Regarding a Recent Cybersecurity Incident

StFX shield logo

Please be advised of a recent cybersecurity incident that involved personal information related to individuals who started or completed an application to enrol at StFX in September 2025. If you have been contacted by StFX University about this issue, below is important information about what occurred and what steps you may wish to take as a precaution.

What happened:

In early August, it came to our attention that a StFX staff member’s email account had been compromised by a bad actor. The bad actor used the account to send emails to StFX’s Payroll Department attempting to redirect the staff member’s pay to a fraudulent bank account. 

We blocked the attempted fraud and began an investigation, including engaging with external cybersecurity experts to determine what, if anything, the individual accessed while in the account. Our investigation recently concluded, and we learned that the individual accessed email messages, some of which had attached spreadsheets with some student personal information. 

Based on our investigation, including considering the information that was exposed, we believe the risk of misuse is low. It is not clear that the spreadsheets were downloaded or even accessed. However, in the interest of transparency, we wanted to let you know. 

What information was exposed:

For students or prospective students who started or completed an application to start in September 2025, the exposed information includes the following: 

  • full name
  • student number
  • gender
  • date of birth
  • citizenship
  • personal and student email address
  • phone number (home and cell)
  • street address
  • emergency contact information (with contact information)
  • enrollment information (degree, program, department)
  • high school
  • entry GPA
  • degree/educational history. 
  • prior college

Approximately twenty students had some additional information exposed. We are reaching out to those students directly. 

What to do about this

We understand that incidents like this can be concerning. As mentioned above, based on our investigation, we believe the risk of misuse is low; however, we encourage you to:

  • Be cautious of urgent messages requesting personal information, downloads, or links. If in doubt, verify requests through a trusted method.
  • Watch out for suspicious job offers, especially those asking for payments or sensitive information before a formal offer.
  • Use your email software to flag any spam or phishing messages you receive and report any spam or phishing messages to @email 

If you have questions, or if you wish to file a formal complaint, please contact @email. If you are not satisfied with our response, you may request a review by the Office of the Information and Privacy Commissioner for Nova Scotia within 60 days.

Moving forward

We sincerely apologize for any worry this may cause. Security incidents are unfortunately becoming more common, but we are committed to learning from every situation and strengthening our safeguards. The university will be reviewing its protocols and providing new guidance to staff on email use and personal information protection to help prevent future incidents.

We want to assure you that your safety and privacy are our top priorities. 

Monica Foster 
Vice-President, Finance & Administration
 

Frequently Asked Questions

Why did it take until now to notify me?

We needed time to thoroughly investigate the incident and determine what information was at risk and who was affected.

Can I find out exactly what information of mine was accessed?

The scope of the breach has been described in the message above. If you have further questions, please contact @email

Are you contacting emergency contacts?

No. Please inform your emergency contact if you provided us with their information.

Why do you think the risk of information misuse is low?

The individual who compromised the account used it to attempt a payroll fraud. It is unlikely they were interested in stealing information for other purposes.

Are you offering credit protection services?

No, as the exposed information is unlikely to be used for credit fraud. Please remain vigilant for phishing attempts (such as lucrative job offers, etc.).

Is my information safe?

Yes. We are committed to protecting your information and are taking steps to strengthen our safeguards.

What is the university doing in response?
  • The compromised account was secured immediately. There is no evidence of misuse beyond the single email account.
  • A full investigation was completed by ITS and external cybersecurity advisors.
  • We are reviewing our privacy and security protocols, reviewing data access policies, and will be conducting training on data handling. We are also assessing the use of sensitive data in formats like spreadsheets.
What can individuals do to protect themselves?

While there is no evidence of misuse beyond the single email account, we recommend:

  • Being cautious of suspicious emails, texts, or calls.
  • Monitoring your personal accounts for unusual activity.
  • Avoiding reuse of passwords across accounts.
  • Contacting us if you believe your information has been misused.