Internal memos reveal wide-ranging impacts of WRDSB cyberattack
Nine months after a cyberattack at the Waterloo Regional District School Board (WRDSB), we’re learning more about what was impacted and how the breach was handled.
On Wednesday, the board’s associate director sat down with CTV News in an exclusive interview, speaking about the incident and its aftermath for the first time.
Memos obtained through a Freedom of Information Request also shed more light on the scope of the attack.
CTV News put in a request for all emails, memos and internal communication about last summer’s cyber attack.
More than 1,000 pages were identified, but ultimately the board only released 38, citing privacy and solicitor-client privilege as reasons for withholding the rest.
The series of internal memos that CTV News did receive reveal just how widespread the issues were.
SYSTEMS BREACHED
On July 10, 2022, WRDSB learned it was the victim of what the board has described as a “cyber incident” or “cyber intrusion.”
“As soon as we discovered that there had been criminal activity within our network, we immediately prevented access to our network and it was within the same day that we brought in the expert third parties to support us in our processes,” WRDSB associate director Graham Shantz said.
While Shantz is not specifically naming which companies or experts were brought in to help, he says they are industry-leading experts in their field that have supported many public institutions in similar situations.
WRDSB associate director Graham Shantz speaks to CTV News Kitchener. (Dan Lauckner/CTV News)
CONCERNS ABOUT MESSAGING
Through the freedom of information request, CTV News obtained a memo sent on July 20, 2022, to system leaders at WRDSB. It indicates that all staff would be notified that day of the incident, and that they would be told in part, “We have confirmed that data was stolen, and we are working to determine the exact content of that data.”
System leaders were also provided with a statement they should use to respond to inquiries from staff, students and families, which was: “I am aware that the WRDSB has been the victim of a cyber incident and that staff in collaboration with experts are working to resolve the issue and safeguard staff and student information.”
The memo raises concerns that the messaging must be consistent “to ensure the hackers do not use media coverage against us or do not obtain contradictory information from personal posts or emails,” going on to indicate legal counsel has helped craft the statements.
The same day a memo was sent to students and their families, informing them of the incident, and stating in part, "While we believe that any risk to our students' sensitive information is low, it was important to us to make you aware of this incident."
Shantz says their investigation ultimately revealed the hackers had accessed one of the board’s networks that contained staff and student personal data.
DID WRDSB PAY A RANSOM?
On Aug. 12, the board revealed personal information of employees dating back to 1970 as well as some student information had been taken.
At the same time, the board said it had: “recovered the data, and we have received assurance that any data taken as part of the cyber intrusion has been deleted."
The board will not comment on whether they paid a ransom.
But experts say it’s something most organizations in this position end up doing.
“I'll put it this way, if a ransom had not been paid, I think the school board would be able to just say that it hasn't been paid,” said David Jao, a University of Waterloo professor and member of the Cybersecurity and Privacy Institute.
HACK IMPACTS OPERATIONS FROM PAYROLL TO PRINTERS
Starting at the end of July, the board offered staff a year of credit monitoring.
“At this point, we have no indication that there has been any use of any data that was impacted,” Shantz said.
The incident created a number of other challenges as well.
A memo sent to staff on Aug. 17 outlines how many systems required workarounds – including incident reporting, new employee training, and security card systems.
There were also challenges programming building HVAC systems and payroll issues.
A further memo on Aug. 31 says some annual salary updates couldn't be processed and would have to be applied retroactively.
The help desk, email setup for new staff, password resets and even network printers at secondary schools were also inaccessible, among other things.
“Since day one of the incident in July, our priority was opening our doors in September to families and to students -- and I have to pass on a huge thank you to our staff who did a very outstanding job. There was a variety of approaches that were used to ensure that all our regulatory obligations were met and that we could safely open our doors in September,” Shantz said.
Shantz says operations were largely back to normal by late fall or early winter.
STUDENT INFORMATION ALSO TAKEN
At the end of September, the board announced that data for 70,000 students enrolled between 2006 and 2013 was among the information taken.
It said that information may have included names, birthdates, genders, whether the student had an individualized education plan, Ontario education numbers and historical education information.
Students of age were offered credit monitoring and the board says some took it, while adding it was believed the risk was low.
It’s an assessment experts agree with, saying the most sensitive piece of information is likely the date of birth.
“What a date of birth means is that it's one more piece of information that a potential bad actor can use to try to do things to you. By itself it's not going to be enough, it has to be combined with other things,” Jao said.
QUESTIONS REMAIN
What remains unclear is how criminals accessed the board’s network in the first place.
“At this time, working with our forensic experts, they weren't able to definitively define what the access point was,” Shantz said.
Waterloo regional police also continue to investigate the cyberattack.
This is part one of a two part series. On Friday, CTV News will look at some of the questions raised around how the board handled the situation and changes that have been made in the months since it happened.
CTVNews.ca Top Stories
Walking pneumonia is surging in Canada. Is it peaking now?
CTVNews.ca spoke with various medical experts to find out the latest situation with the typically mild walking pneumonia in their area and whether parents should be worried.
Minister calls GST holiday, $250 cheques for 18 million Canadians 'a targeted approach'
Women and Gender Equality and Youth Minister Marci Ien is calling the federal government's proposed GST holiday and $250 rebate cheques a 'targeted approach' to address affordability concerns.
'Her shoe got sucked into the escalator': Toronto family warns of potential risk of wearing Crocs
A Toronto family is speaking out after their 10-year-old daughter's Crocs got stuck in an escalator, ripping the entire toe area of the clog off.
Ancient meets modern as a new subway in Greece showcases archeological treasures
Greece's second largest city, Thessaloniki, is getting a brand new subway system that will showcase archeological discoveries made during construction that held up the project for decades.
Quebec man, 81, gets prison sentence after admitting to killing wife with Alzheimer's disease
An 81-year-old Quebec man has been sentenced to prison after admitting to killing his wife with Alzheimer's disease.
Canada Post quarterly loss tops $300M as strike hits second week -- and rivals step in
Canada Post saw hundreds of millions of dollars drain out of its coffers last quarter, due largely to its dwindling share of the parcels market, while an ongoing strike continues to batter its bottom line.
'Immoral depravity': Two men convicted in case of frozen migrant family in Manitoba
A jury has found two men guilty on human smuggling charges in a case where a family from India froze to death in Manitoba while trying to walk across the Canada-U.S. border.
Prime Minister Trudeau attends Taylor Swift's Eras Tour in Toronto with family
Prime Minister Justin Trudeau is a Swiftie. His office confirmed to CTV News Toronto that he and members of his family are attending the penultimate show of Taylor Swift's 'The Eras Tour' in Toronto on Friday evening.
Trump supporters review-bomb B.C. floral shop by accident
A small business owner from B.C.'s Fraser Valley is speaking out after being review-bombed by confused supporters of U.S. president-elect Donald Trump this week.