Internal memos reveal wide-ranging impacts of WRDSB cyberattack
Nine months after a cyberattack at the Waterloo Regional District School Board (WRDSB), we’re learning more about what was impacted and how the breach was handled.
On Wednesday, the board’s associate director sat down with CTV News in an exclusive interview, speaking about the incident and its aftermath for the first time.
Memos obtained through a Freedom of Information Request also shed more light on the scope of the attack.
CTV News put in a request for all emails, memos and internal communication about last summer’s cyber attack.
More than 1,000 pages were identified, but ultimately the board only released 38, citing privacy and solicitor-client privilege as reasons for withholding the rest.
The series of internal memos that CTV News did receive reveal just how widespread the issues were.
SYSTEMS BREACHED
On July 10, 2022, WRDSB learned it was the victim of what the board has described as a “cyber incident” or “cyber intrusion.”
“As soon as we discovered that there had been criminal activity within our network, we immediately prevented access to our network and it was within the same day that we brought in the expert third parties to support us in our processes,” WRDSB associate director Graham Shantz said.
While Shantz is not specifically naming which companies or experts were brought in to help, he says they are industry-leading experts in their field that have supported many public institutions in similar situations.
WRDSB associate director Graham Shantz speaks to CTV News Kitchener. (Dan Lauckner/CTV News)
CONCERNS ABOUT MESSAGING
Through the freedom of information request, CTV News obtained a memo sent on July 20, 2022, to system leaders at WRDSB. It indicates that all staff would be notified that day of the incident, and that they would be told in part, “We have confirmed that data was stolen, and we are working to determine the exact content of that data.”
System leaders were also provided with a statement they should use to respond to inquiries from staff, students and families, which was: “I am aware that the WRDSB has been the victim of a cyber incident and that staff in collaboration with experts are working to resolve the issue and safeguard staff and student information.”
The memo raises concerns that the messaging must be consistent “to ensure the hackers do not use media coverage against us or do not obtain contradictory information from personal posts or emails,” going on to indicate legal counsel has helped craft the statements.
The same day a memo was sent to students and their families, informing them of the incident, and stating in part, "While we believe that any risk to our students' sensitive information is low, it was important to us to make you aware of this incident."
Shantz says their investigation ultimately revealed the hackers had accessed one of the board’s networks that contained staff and student personal data.
DID WRDSB PAY A RANSOM?
On Aug. 12, the board revealed personal information of employees dating back to 1970 as well as some student information had been taken.
At the same time, the board said it had: “recovered the data, and we have received assurance that any data taken as part of the cyber intrusion has been deleted."
The board will not comment on whether they paid a ransom.
But experts say it’s something most organizations in this position end up doing.
“I'll put it this way, if a ransom had not been paid, I think the school board would be able to just say that it hasn't been paid,” said David Jao, a University of Waterloo professor and member of the Cybersecurity and Privacy Institute.
HACK IMPACTS OPERATIONS FROM PAYROLL TO PRINTERS
Starting at the end of July, the board offered staff a year of credit monitoring.
“At this point, we have no indication that there has been any use of any data that was impacted,” Shantz said.
The incident created a number of other challenges as well.
A memo sent to staff on Aug. 17 outlines how many systems required workarounds – including incident reporting, new employee training, and security card systems.
There were also challenges programming building HVAC systems and payroll issues.
A further memo on Aug. 31 says some annual salary updates couldn't be processed and would have to be applied retroactively.
The help desk, email setup for new staff, password resets and even network printers at secondary schools were also inaccessible, among other things.
“Since day one of the incident in July, our priority was opening our doors in September to families and to students -- and I have to pass on a huge thank you to our staff who did a very outstanding job. There was a variety of approaches that were used to ensure that all our regulatory obligations were met and that we could safely open our doors in September,” Shantz said.
Shantz says operations were largely back to normal by late fall or early winter.
STUDENT INFORMATION ALSO TAKEN
At the end of September, the board announced that data for 70,000 students enrolled between 2006 and 2013 was among the information taken.
It said that information may have included names, birthdates, genders, whether the student had an individualized education plan, Ontario education numbers and historical education information.
Students of age were offered credit monitoring and the board says some took it, while adding it was believed the risk was low.
It’s an assessment experts agree with, saying the most sensitive piece of information is likely the date of birth.
“What a date of birth means is that it's one more piece of information that a potential bad actor can use to try to do things to you. By itself it's not going to be enough, it has to be combined with other things,” Jao said.
QUESTIONS REMAIN
What remains unclear is how criminals accessed the board’s network in the first place.
“At this time, working with our forensic experts, they weren't able to definitively define what the access point was,” Shantz said.
Waterloo regional police also continue to investigate the cyberattack.
This is part one of a two part series. On Friday, CTV News will look at some of the questions raised around how the board handled the situation and changes that have been made in the months since it happened.
CTVNews.ca Top Stories
opinion Tom Mulcair: Prime Minister Justin Trudeau's train wreck of a final act
In his latest column for CTVNews.ca, former NDP leader and political analyst Tom Mulcair puts a spotlight on the 'spectacular failure' of Prime Minister Justin Trudeau's final act on the political stage.
B.C. mayor gets calls from across Canada about 'crazy' plan to recruit doctors
A British Columbia community's "out-of-the-box" plan to ease its family doctor shortage by hiring physicians as city employees is sparking interest from across Canada, says Colwood Mayor Doug Kobayashi.
'There’s no support': Domestic abuse survivor shares difficulties leaving her relationship
An Edmonton woman who tried to flee an abusive relationship ended up back where she started in part due to a lack of shelter space.
Baseball Hall of Famer Rickey Henderson dead at 65, reports say
Rickey Henderson, a Baseball Hall of Famer and Major League Baseball’s all-time stolen bases leader, is dead at 65, according to multiple reports.
Arizona third-grader saves choking friend
An Arizona third-grader is being recognized by his local fire department after saving a friend from choking.
Germans mourn the 5 killed and 200 injured in the apparent attack on a Christmas market
Germans on Saturday mourned the victims of an apparent attack in which authorities say a doctor drove into a busy outdoor Christmas market, killing five people, injuring 200 others and shaking the public’s sense of security at what would otherwise be a time of joy.
Blake Lively accuses 'It Ends With Us' director Justin Baldoni of harassment and smear campaign
Blake Lively has accused her 'It Ends With Us' director and co-star Justin Baldoni of sexual harassment on the set of the movie and a subsequent effort to “destroy' her reputation in a legal complaint.
Oysters distributed in B.C., Alberta, Ontario recalled for norovirus contamination
The Canadian Food Inspection Agency has issued a recall due to possible norovirus contamination of certain oysters distributed in British Columbia, Alberta and Ontario.
New rules clarify when travellers are compensated for flight disruptions
The federal government is proposing new rules surrounding airlines' obligations to travellers whose flights are disrupted, even when delays or cancellations are caused by an "exceptional circumstance" outside of carriers' control.