Internal memos reveal wide-ranging impacts of WRDSB cyberattack
Nine months after a cyberattack at the Waterloo Regional District School Board (WRDSB), we’re learning more about what was impacted and how the breach was handled.
On Wednesday, the board’s associate director sat down with CTV News in an exclusive interview, speaking about the incident and its aftermath for the first time.
Memos obtained through a Freedom of Information Request also shed more light on the scope of the attack.
CTV News put in a request for all emails, memos and internal communication about last summer’s cyber attack.
More than 1,000 pages were identified, but ultimately the board only released 38, citing privacy and solicitor-client privilege as reasons for withholding the rest.
The series of internal memos that CTV News did receive reveal just how widespread the issues were.
SYSTEMS BREACHED
On July 10, 2022, WRDSB learned it was the victim of what the board has described as a “cyber incident” or “cyber intrusion.”
“As soon as we discovered that there had been criminal activity within our network, we immediately prevented access to our network and it was within the same day that we brought in the expert third parties to support us in our processes,” WRDSB associate director Graham Shantz said.
While Shantz is not specifically naming which companies or experts were brought in to help, he says they are industry-leading experts in their field that have supported many public institutions in similar situations.
WRDSB associate director Graham Shantz speaks to CTV News Kitchener. (Dan Lauckner/CTV News)
CONCERNS ABOUT MESSAGING
Through the freedom of information request, CTV News obtained a memo sent on July 20, 2022, to system leaders at WRDSB. It indicates that all staff would be notified that day of the incident, and that they would be told in part, “We have confirmed that data was stolen, and we are working to determine the exact content of that data.”
System leaders were also provided with a statement they should use to respond to inquiries from staff, students and families, which was: “I am aware that the WRDSB has been the victim of a cyber incident and that staff in collaboration with experts are working to resolve the issue and safeguard staff and student information.”
The memo raises concerns that the messaging must be consistent “to ensure the hackers do not use media coverage against us or do not obtain contradictory information from personal posts or emails,” going on to indicate legal counsel has helped craft the statements.
The same day a memo was sent to students and their families, informing them of the incident, and stating in part, "While we believe that any risk to our students' sensitive information is low, it was important to us to make you aware of this incident."
Shantz says their investigation ultimately revealed the hackers had accessed one of the board’s networks that contained staff and student personal data.
DID WRDSB PAY A RANSOM?
On Aug. 12, the board revealed personal information of employees dating back to 1970 as well as some student information had been taken.
At the same time, the board said it had: “recovered the data, and we have received assurance that any data taken as part of the cyber intrusion has been deleted."
The board will not comment on whether they paid a ransom.
But experts say it’s something most organizations in this position end up doing.
“I'll put it this way, if a ransom had not been paid, I think the school board would be able to just say that it hasn't been paid,” said David Jao, a University of Waterloo professor and member of the Cybersecurity and Privacy Institute.
HACK IMPACTS OPERATIONS FROM PAYROLL TO PRINTERS
Starting at the end of July, the board offered staff a year of credit monitoring.
“At this point, we have no indication that there has been any use of any data that was impacted,” Shantz said.
The incident created a number of other challenges as well.
A memo sent to staff on Aug. 17 outlines how many systems required workarounds – including incident reporting, new employee training, and security card systems.
There were also challenges programming building HVAC systems and payroll issues.
A further memo on Aug. 31 says some annual salary updates couldn't be processed and would have to be applied retroactively.
The help desk, email setup for new staff, password resets and even network printers at secondary schools were also inaccessible, among other things.
“Since day one of the incident in July, our priority was opening our doors in September to families and to students -- and I have to pass on a huge thank you to our staff who did a very outstanding job. There was a variety of approaches that were used to ensure that all our regulatory obligations were met and that we could safely open our doors in September,” Shantz said.
Shantz says operations were largely back to normal by late fall or early winter.
STUDENT INFORMATION ALSO TAKEN
At the end of September, the board announced that data for 70,000 students enrolled between 2006 and 2013 was among the information taken.
It said that information may have included names, birthdates, genders, whether the student had an individualized education plan, Ontario education numbers and historical education information.
Students of age were offered credit monitoring and the board says some took it, while adding it was believed the risk was low.
It’s an assessment experts agree with, saying the most sensitive piece of information is likely the date of birth.
“What a date of birth means is that it's one more piece of information that a potential bad actor can use to try to do things to you. By itself it's not going to be enough, it has to be combined with other things,” Jao said.
QUESTIONS REMAIN
What remains unclear is how criminals accessed the board’s network in the first place.
“At this time, working with our forensic experts, they weren't able to definitively define what the access point was,” Shantz said.
Waterloo regional police also continue to investigate the cyberattack.
This is part one of a two part series. On Friday, CTV News will look at some of the questions raised around how the board handled the situation and changes that have been made in the months since it happened.
CTVNews.ca Top Stories
Four arrests made, police officer injured in connection with protest at Hindu temple in Brampton, Ont.
Peel police say four people were arrested and an officer was injured following several protests in Mississauga and Brampton Sunday afternoon, including one at a Hindu temple that turned violent.
B.C. port employers to launch lockout at terminals as labour disruption begins
Employers at British Columbia ports say they are going ahead with locking out more than 700 foremen across the province after strike activities from union members began.
She was diagnosed with Type 2 diabetes about a year ago. Here's how her condition was reversed
A year ago, Lorraine O'Quinn was coping with stress, chronic illness and Type 2 diabetes. Then she discovered a health program that she says changed her life.
'The best that we can be': Indigenous judge and TRC chair Murray Sinclair dies at 73
Murray Sinclair, who was born when Indigenous people did not yet have the right to vote, grew up to become one of the most decorated and influential people to work in Indigenous justice and advocacy.
Musk PAC tells Philadelphia judge the US$1M sweepstakes winners are not chosen by chance
A lawyer for Elon Musk 's political action committee told a judge in Philadelphia on Monday that so-called 'winners' of his US$1 million-a-day voter sweepstakes in swing states are not chosen by chance but are instead chosen to be paid 'spokespeople' for the group.
3 arrested as protesters clash outside Hindu temple in Surrey, B.C.
Three people were arrested after duelling protests erupted into violence outside a Hindu temple in Surrey, B.C., over the weekend, according to the RCMP.
Communication issues, double standard for Lebanese-Canadians trying to escape war, says lawyer
Some Lebanese-Canadians are pressuring the federal government to implement emergency measures that would allow Lebanese nationals' family members a less restrictive gateway to Canada, citing more 'flexible' policies for Ukrainians.
Judge rules against Alberta casino, dinner theatre operator
An application to stay a receivership order of Mayfield Investments Ltd., a company that owns multiple businesses in Alberta including the Camrose Resort and Casino, Medicine Hat Lodge and Calgary's Stage West Dinner Theatre, has been denied by the court.
India's Modi, Canada's Trudeau condemn violence at Hindu temple near Toronto
The prime ministers of India and Canada condemned violence that broke out on Sunday at a Hindu temple near Toronto at a time of escalating diplomatic tensions between the two countries.