Internal memos reveal wide-ranging impacts of WRDSB cyberattack
Nine months after a cyberattack at the Waterloo Regional District School Board (WRDSB), we’re learning more about what was impacted and how the breach was handled.
On Wednesday, the board’s associate director sat down with CTV News in an exclusive interview, speaking about the incident and its aftermath for the first time.
Memos obtained through a Freedom of Information Request also shed more light on the scope of the attack.
CTV News put in a request for all emails, memos and internal communication about last summer’s cyber attack.
More than 1,000 pages were identified, but ultimately the board only released 38, citing privacy and solicitor-client privilege as reasons for withholding the rest.
The series of internal memos that CTV News did receive reveal just how widespread the issues were.
On July 10, 2022, WRDSB learned it was the victim of what the board has described as a “cyber incident” or “cyber intrusion.”
“As soon as we discovered that there had been criminal activity within our network, we immediately prevented access to our network and it was within the same day that we brought in the expert third parties to support us in our processes,” WRDSB associate director Graham Shantz said.
While Shantz is not specifically naming which companies or experts were brought in to help, he says they are industry-leading experts in their field that have supported many public institutions in similar situations.
CONCERNS ABOUT MESSAGING
Through the freedom of information request, CTV News obtained a memo sent on July 20, 2022, to system leaders at WRDSB. It indicates that all staff would be notified that day of the incident, and that they would be told in part, “We have confirmed that data was stolen, and we are working to determine the exact content of that data.”
System leaders were also provided with a statement they should use to respond to inquiries from staff, students and families, which was: “I am aware that the WRDSB has been the victim of a cyber incident and that staff in collaboration with experts are working to resolve the issue and safeguard staff and student information.”
The memo raises concerns that the messaging must be consistent “to ensure the hackers do not use media coverage against us or do not obtain contradictory information from personal posts or emails,” going on to indicate legal counsel has helped craft the statements.
The same day a memo was sent to students and their families, informing them of the incident, and stating in part, "While we believe that any risk to our students' sensitive information is low, it was important to us to make you aware of this incident."
Shantz says their investigation ultimately revealed the hackers had accessed one of the board’s networks that contained staff and student personal data.
DID WRDSB PAY A RANSOM?
On Aug. 12, the board revealed personal information of employees dating back to 1970 as well as some student information had been taken.
At the same time, the board said it had: “recovered the data, and we have received assurance that any data taken as part of the cyber intrusion has been deleted."
The board will not comment on whether they paid a ransom.
But experts say it’s something most organizations in this position end up doing.
“I'll put it this way, if a ransom had not been paid, I think the school board would be able to just say that it hasn't been paid,” said David Jao, a University of Waterloo professor and member of the Cybersecurity and Privacy Institute.
HACK IMPACTS OPERATIONS FROM PAYROLL TO PRINTERS
Starting at the end of July, the board offered staff a year of credit monitoring.
“At this point, we have no indication that there has been any use of any data that was impacted,” Shantz said.
The incident created a number of other challenges as well.
A memo sent to staff on Aug. 17 outlines how many systems required workarounds – including incident reporting, new employee training, and security card systems.
There were also challenges programming building HVAC systems and payroll issues.
A further memo on Aug. 31 says some annual salary updates couldn't be processed and would have to be applied retroactively.
The help desk, email setup for new staff, password resets and even network printers at secondary schools were also inaccessible, among other things.
“Since day one of the incident in July, our priority was opening our doors in September to families and to students -- and I have to pass on a huge thank you to our staff who did a very outstanding job. There was a variety of approaches that were used to ensure that all our regulatory obligations were met and that we could safely open our doors in September,” Shantz said.
Shantz says operations were largely back to normal by late fall or early winter.
STUDENT INFORMATION ALSO TAKEN
At the end of September, the board announced that data for 70,000 students enrolled between 2006 and 2013 was among the information taken.
It said that information may have included names, birthdates, genders, whether the student had an individualized education plan, Ontario education numbers and historical education information.
Students of age were offered credit monitoring and the board says some took it, while adding it was believed the risk was low.
It’s an assessment experts agree with, saying the most sensitive piece of information is likely the date of birth.
“What a date of birth means is that it's one more piece of information that a potential bad actor can use to try to do things to you. By itself it's not going to be enough, it has to be combined with other things,” Jao said.
What remains unclear is how criminals accessed the board’s network in the first place.
“At this time, working with our forensic experts, they weren't able to definitively define what the access point was,” Shantz said.
Waterloo regional police also continue to investigate the cyberattack.
This is part one of a two part series. On Friday, CTV News will look at some of the questions raised around how the board handled the situation and changes that have been made in the months since it happened.