This week a Calgary university found out the hard way that stolen data and deleted data are two different disasters happening at once. Meanwhile, Canada's AI rulebook is taking shape without a single big new law, even as China, the EU, and a US state all moved on AI governance in the same seven days. Two very different stories, one common thread: knowing what you'd do in the first 24 hours matters more than knowing every regulation by heart. Let's get into it.

🗞️ STORY OF THE WEEK

Mount Royal University in Calgary confirmed this month that a June 17 cyberattack was far more than a service outage. Hackers broke into the school's network, reached a shared file storage system known as the "H drive," used by both students and staff for coursework, research, and personal files, and copied everything before deleting the originals. A second drive holding departmental records was wiped too, though there's no evidence that one was copied first.

A group calling itself CMD Organization has since claimed responsibility, posting sample files on its leak site and demanding roughly $1.9 million in cryptocurrency, a figure that Comparitech researchers say is nearly four times the group's typical ransom demand. The attackers also claim to have taken more than 10 terabytes of data.

MRU says the exposure mostly involves corporate and employee information, and it has decided not to offer students credit monitoring because it considers their risk lower. That call has drawn criticism, since students' personal documents lived on the very same drive. The university has reported the incident to Alberta's Information and Privacy Commissioner and says a full accounting of who was affected could take weeks or months.

Why it matters to you

Most small businesses store the "boring" stuff, invoices, HR files, client contracts, in one shared drive that everyone on the team can reach. Ask yourself: if that drive were deleted tomorrow, would you be restoring from a backup that lives somewhere separate, or would you be starting from zero?

What you can do right now

This week, confirm that your backups are stored somewhere a hacker who breaks into your main network cannot also reach, and actually test restoring one file from that backup to make sure it works. A backup nobody has ever restored from is a hope, not a plan.

⚡THE RIPPLE EFFECT - Three stories, and what they actually mean for your business

Nation-State Hackers Are Quietly Inside Canadian University Networks
Researchers this week reported that China-aligned hackers have been exploiting flaws in Roundcube webmail software to break into US and Canadian university networks, focusing on physics and engineering departments with national security ties. Rather than smash-and-grab, the attackers planted backdoors built for long-term access, and the campaign is believed to still be active.

What it means for you: This isn't the loud, ransom-note kind of breach. It's patient and quiet, designed to sit unnoticed for months. If your business runs older or unpatched web-based email or portal software anywhere in your systems, the same kind of long-term foothold is possible, and you might not know it's there until someone tells you.

A Big EU AI Deadline Lands August 2, and It Reaches Into Canada
Starting August 2, 2026, the European Union's AI Act imposes new transparency and risk-testing obligations on makers of large, general-purpose AI models, the kind of systems that power many everyday chatbots and writing tools. Companies that build these tools often serve customers worldwide, Canadian businesses included.

What it means for you: If your team relies on a major AI chatbot or writing assistant, watch for a policy update notice around this date. It may change what the tool can do, what data it retains, or what disclosures it now shows you.

Two Countries Just Wrote New Rules for AI Agents in the Same Week
China's new regulations for AI "agents," software that can take actions on its own rather than just answer questions, took effect July 15, sorting agents into risk tiers and requiring paperwork for the riskier ones. Days earlier, Illinois passed a law requiring large AI developers to undergo independent safety audits every year.

What it means for you: If you're testing an AI agent that can send emails, edit files, or make purchases without a human clicking "approve" each time, treat it like a new hire with a company credit card, not a search engine. Ask your vendor what oversight, logging, and audit trail comes with it before you give it more access.

43%

Of Canadian organizations experienced a cyberattack, attempted or successful, in the past year, and that figure holds up whether the business has ten employees or ten thousand. It's less a question of if your business will be targeted, and more a question of whether you'll notice quickly and recover cleanly when it happens.

ONE THING TO DO THIS WEEK

Make a List of Every AI Tool Your Team Actually Uses

With China, the EU, and a US state all writing new AI rules in the same week, and researchers reporting the first ransomware attack carried out almost entirely by an autonomous AI agent, the ground under AI tools is shifting fast. Most business owners can name the one AI tool they officially signed up for, but not the half dozen others that crept in through individual employees trying to work faster.

This week, ask everyone on your team to write down, in one shared document, every AI tool they use for work, including the free ones they never asked permission for. Note what each tool can see or touch: someone's inbox, your customer list, your codebase, your accounting software. You don't need a policy yet, you just need the list. You can't govern what you don't know exists.

"You can't govern what you don't know exists."

📌 QUICK BITES

A Canadian tech firm is the latest ransomware target. The Qilin ransomware group claims it breached Hilo, a Canadian technology company, on July 10 and is threatening to leak stolen data unless the company negotiates. A reminder that ransomware crews don't only chase hospitals and universities, mid-sized service and technology firms are squarely in their sights too.

Bill C-8 is now law. Royal Assent landed June 16, creating Canada's first mandatory breach-reporting and security rules for critical sectors like telecom, banking, energy, and transportation, with fines of up to $15 million a day for non-compliance. Most small businesses fall outside the direct rules, but if you supply a bank, utility, or telecom company, expect tougher security questions on your next contract renewal.

Canada confirmed it won't revive its stalled AI law. Ottawa's new "AI for All" strategy makes clear the government will not bring back the Artificial Intelligence and Data Act, and will instead lean on existing privacy law, guidance, and voluntary codes. Translation: no single sweeping Canadian AI statute is coming this year, but privacy law still applies to anything your business does with AI.

AI coding tools are being called "shadow IT with a bigger blast radius." Unlike a rogue app an employee quietly downloads, AI coding assistants can see an entire codebase and everything connected to it. If anyone on your team uses one, make sure whoever manages your systems knows which tool it is and what it can actually reach.

Global AI governance had its moment this week. China hosted the World AI Conference in Shanghai, pitching its own vision for international AI rules alongside the frameworks already moving in the EU and US. The bigger picture for Canadian businesses isn't any single rule, it's that AI compliance is becoming a patchwork of regional requirements, so it pays to know which region's rules actually apply to the AI tools and vendors you use.

💬 PARTING THOUGHT

Resilience keeps showing up this week in two different costumes. For Mount Royal University, it looked like a backup that either would or wouldn't exist somewhere the attackers couldn't reach. For every business trying to make sense of AI rules arriving from Brussels, Beijing, and Springfield in the same seven days, it looks like simply knowing which rules apply to you before a regulator or a customer asks.

Neither kind of resilience requires a big budget or a law degree. It requires deciding, on a calm Tuesday rather than during a crisis, what you'd actually do if the drive disappeared or the AI vendor changed its terms overnight.

Do that thinking now, a quote that a mentor of mine always used is “You don’t want to be building the emergency functions for the plane while you’re flying”

See you next Friday and stay
TryberResilient

Keep reading