Personal data from potentially thousands of students and staff was stolen in a cyberattack late last month, the University of Winnipeg says.

The names, social insurance numbers, birth dates and addresses of former and current students and school employees have likely been exposed to the attackers, the university said in a Thursday news release.

The bank account information of anyone employed by the university since 2015 is also part of the potential exposure.

"We're talking about personal financial information going back, I think in some cases, even 20 years," said Peter Miler, president of the University of Winnipeg Faculty Association.

"It's clearly highly serious.… It's a lot of data, specific data, that can be used in a lot of nefarious ways."

The leak potentially affects all graduate and undergraduate students enrolled since the fall of 2018, those enrolled in professional, applied and continued education and English-language programs since September 2019, as well as students who were issued T4A forms by the U of W since 2016, the university said.

All current employees and all former employers since 2003 are also likely affected.

LISTEN | Faculty association president reacts to U of W cyberattack update:

The phone numbers of staff and compensation information were also part of the leaked data, the university said.

"I'm disturbed," said Karen Froman, assistant professor in the school's history department. "A lot of personal information has been leaked. So I'm very concerned about this, not only for myself but, you know, for the students as well."

Students might have also had their fees and tuition amounts, gender and marital status information, and student numbers stolen by the attackers, the university said.

"Immediately, I reached out to my parents and was like, what do I do?" said Elysse Paterson, a classics major. 

"If people can take everything from me — I mean, I don't have much to give. But there's a lot of personal information, and I just don't know how to cope with this."

Himanshu Gill, a business administration student, said he feels powerless knowing that bad actors may have their hands on his personal data.

"They can exploit us in the near future," he said. "So yeah, it's a little bit concerning."

The U of W said it's still investigating whether other people have been affected by the attack, which was detected on March 24, but has "now confirmed that data from a university file server has been stolen and that the stolen information likely includes the personal information of current and former students and employees," the university's news release said.

It's believed the theft likely occurred the week before it was discovered.

The university pushed back its exam period and move-out date for students living on campus in the week following the detection, which led to the shutdown of some of its critical systems.

"We're also scrambling of course to finish the term and deal with the continuing ramifications of the cyberattack's kind of freezing of some technology on campus," Miller said. "So it's definitely a kind of whirlwind of bad things all at once."

The probe into the attack could take months, the university says. Law enforcement and the Manitoba Ombudsman office have been notified.

The university says it's providing anyone who was likely affected by the attack with two-year credit monitoring so they're better protected against identity fraud. Instructions will be sent out in the coming days.

Marc Perreault, senior manager of security assurance at Mozilla, said all the information has probably already been put up for sale on the dark web.

He said all it takes is one flaw in an organization's cybersecurity protocols for attackers to gain a foothold into a system.

"At the end of the day, you know, it would be hard to believe if the university was negligent and that was the cause of this," he said. "The reality is, it happens to … individuals and then everything up to like organizations with tens of thousands of users."

In its release the university says it is "deeply sorry" about the incident and pledges to implement stronger defences in its online systems.

Miller said the faculty association will continue to push the school's administration for transparency into the situation, and more protections.