A major cybersecurity breach occurred in July at the Waterloo Region District School Board, in which personal information of current and past employees dating back to 1970, as well as that of students, was obtained.
In a statement released on Friday, the board said it became aware last month of an “unauthorized access to our IT system. We immediately retained cyber forensic experts to conduct a comprehensive investigation.
“This investigation has now confirmed that personal information of our current and past employees was accessed. We can also confirm that certain student information was also accessed.
“We have recovered the data, and we have received assurance that any data taken as part of the cyber intrusion has been deleted.”
According to the statement, the following information was accessed by the perpetrators:
Category 1 – Past and Current Employees: “The attackers unlawfully accessed a restricted network drive that contained sensitive personal information related to payroll and benefits administration. These files included the names, birthdates, banking information, and social insurance numbers of all current and past employees dating back to 1970. The payment history for employees dating back to 2012 was also included.”
Category 2 – Student Information Database: “We have confirmed that certain student information was accessed. We are still actively investigating the full scope of the impact on student information, and we will be providing an update once we know more.
“If further analysis finds anyone whose personal information was impacted but it does not fall into the categories above, WRDSB will then contact those individuals directly.”
Eusis Dougan-McKenzie, chief communications officer with the board, said that “this cyber intrusion disrupted our operations, and WRDSB responded immediately by engaging cyber security experts and prioritizing a full return of our operational functions. It has been difficult, especially for staff, both those waiting on payments and records of employment and those who were working on resolving this issue.”
The statement went on to say that “going forward, we are taking a number of additional measures to strengthen our systems. Working in collaboration with our internal IT team and external IT experts, we are continuing to invest in leading technologies to protect our systems and data from ever-growing cybersecurity threats.”
According to the WRDSB, “the Information and Privacy Commissioner of Ontario (IPC) has been notified of the incident. Anyone wishing to file a complaint, it said, should visit: https://www.ipc.on.ca/resources/forms/.”