The Waterloo Region District Public School Board has offered few public details about what it’s calling the “cyber incidents” that impacted its IT system, but one cyber security expert says the breach is concerning.

The public school board has said it was targeted by a criminal group, and confirmed data was stolen. The board has not yet outlined what data was taken.

Ali Dehghantanha, a professor of cyber security at the University of Guelph, said since the school board collects a lot of personal information, his biggest worry with the cyber breach is identity theft and that people’s private information could be used for social engineering attacks.

“If I know your kid’s name, your kid’s school, possibly even the marks of your kids, I can probably set up very interesting and sophisticated attacks and steal a lot of information from you,” he said. “Having that private information could give attackers an upper hand.”

Dehghantanha said the impact of identity theft can be long-lasting.

“Imagine I can steal information, like a SIN number from a kid who is not of age yet, keep it for some time until they get to a specific age and then start misusing it. That would be a really, really tough case to investigate.”

However, he said whoever’s information may have been compromised may not have to worry just yet. He suggested keeping a close eye on financial transactions and to be on alert for receiving random calls.

“We don’t know the scale of the information that’s been leaked out or stolen by the attackers, so currently, we are not in a position to give a good fair assessment of the impact of people.”

On Wednesday the school board said it is working to safeguard people’s personal information, but added it could take weeks before the investigation into how this happened and what was stolen is complete.

Dehghantanha said the investigation requires looking into how the attackers got to the information and what they stole.

“Most of these hacking groups are taking actions to remove their footprints,” he said. “That’s why the investigation would be very very complicated.”

He recommends businesses and corporations take the necessary steps to protect themselves from getting hacked, including changing cyber security procedures, and not storing unnecessary personal information.

“Make sure you have a proper data removal, data destruction procedure policy in place,” Dehghantanha said.

As for users, Dehghantanha said it’s best to only use websites that have two-factor authorization.

“If you make that compulsory, it works 200 times better than making your password policy sophisticated.”

The school board said it expects to release more information on the cyber incidents early next week.