WRDSB retirees say they felt left in the dark after data compromised in cyberattack
This is part two of a two-part series. For a timeline of cyberattack and the wide-ranging impacts it had on Waterloo Region District School Board (WRDSB) operations, read part one here.
In the wake of a cyberattack at the Waterloo Region District School Board (WRDSB) this past summer, some of the people impacted are raising questions about how it was handled.
The data accessed by hackers included details about employees dating back to 1970.
But some of those former employees say getting information about what happened, along with their risks, was difficult.
“We had one or two members almost in tears once they found out on the phone because they're concerned their life savings could be at risk, or they're maybe not in a great financial situation to begin with,” retired Kitchener teacher John Ryrie said.
Ryrie, part of a group of about 200 active retired members, says they largely learned of their risks through the media, leaving them with more questions than answers.
“The information from the board came in dribs and drabs and we were having some difficulty getting a complete picture,” he said.
The board says there was no way to ensure they had up to date contact information for former employees.
“We reached out to media outlets and utilized those media outlets to help us support reaching out,” WRDSB associate director Graham Shantz said. “And through the experts we worked with in this, that is a common approach that is used in situations like this.”
Retired Kitchener teacher John Ryrie says in the months after the cyberattack, retirees' main source of information about what happened was the media. (CTV Kitchener/Krista Simpson)
Ryrie says he realizes contacting all former employees is next to impossible, but he still wishes there had been clearer messages from the board.
He says knowing more specifics about what was accessed would have eliminated a lot of stress.
“For example, once I found out credit cards weren't part of the background, I felt some relief,” he explained.
Ryrie adds he was willing to change his bank account information in the aftermath of the attack, but didn’t have enough information to know whether that was necessary.
“That’s the kind of specific information you could deal with if you knew what they had access to or not had access to. And so we go back to exactly what were they able to find out about my history as an employee with the board? And that would have been helpful to have that right up front early, so everybody would know, and they could all go to their banks or their credit unions and do whatever they needed to do to put in further protection,” Ryrie says.
An internal memo announcing the security incident to system leaders at WRDSB reflects the board’s concern that hackers could use media coverage against it or obtain contradictory information from personal post or emails.
The memo includes a statement leaders were instructed to use if asked about the hack by staff, students and families. It reads: “I am aware that the WRDSB has been the victim of a cyber incident and that staff in collaboration with experts are working to resolve the issue and safeguard staff and student information.”
EXPERT ADVOCATES FOR TRANSPARENCY
David Jao, a University of Waterloo professor and member of the Cybersecurity and Privacy Institute, says he believes more transparency was warranted in this case.
“The way to respond correctly, I think, is not to try to hide and minimize yourself as a target,” Jao said.
The initial notification of the security incident, sent to families on July 20, stated, “We know you will have questions or concerns, but we ask that you be patient and hold off contacting us. Once we have more information to share we will make it available to you.”
Jao says most organizations should be as transparent as possible in the aftermath of a cyberattack, and feels the school board should have provided more information on what had happened and how it was being addressed.
“There's certainly, I think, more information that could be provided, and probably should just in the name of good governance. The school board is a public organization, they are a steward of public money. The taxpayers – not just the affected people – but the community as a whole has a right to know what is going on and what you’re doing.”
WRDSB associate director Graham Shantz speaks to CTV News Kitchener. (Dan Lauckner/CTV News)
BOARD SAYS IT'S MAKING CHANGES
Ryrie says it wasn't until several months after the hack that members of the group eventually met with Graham Shantz at the board to get more details and share their concerns, including why former employee information was being kept for so long.
“Part of our concern is that we’re not sure why the board would need to keep that information for 52 years. What I think happened is it was just stored and everybody forgot about it because there was no concern. Well now there is a concern,” Ryrie said.
Shantz says the board is now reevaluating its information retention schedules for former employees.
It's one of a number of changes administrators are considering or already implementing.
“We've made enhancements to our infrastructure, even though we felt we had a very good defensive posture leading up to this incident, there were things that we learned through it and given us the opportunity to improve that infrastructure,” Shantz said.
Shantz says other measures taken include more training for students and staff on how cyber incidents can occur and be prevented in the future.
Retired employees were given one year of free credit monitoring from the board, but Ryrie says some are concerned that’s not enough.
Their group has looked into arranging their own monitoring in the future.
“We're trying to find protections wherever we can in order that our members' financial information is safe,” he said.
The school board says it’s looking at whether the year of free credit monitoring they arranged should be extended beyond this summer, although it says it’s not aware of anyone’s data being improperly used at this point.
CTVNews.ca Top Stories
Canadian team told Trump's tariffs unavoidable in short term in surprise Mar-a-Lago meeting
During a surprise dinner at Mar-a-Lago, representatives of the federal government were told U.S. tariffs from the incoming Donald Trump administration cannot be avoided in the immediate term, two government sources tell CTV News.
Toronto man accused of posing as surgeon, performing cosmetic procedures on several women
A 29-year-old Toronto man has been charged after allegedly posing as a surgeon and providing cosmetic procedures on several women.
W5 Investigates 'I never took part in beheadings': Canadian ISIS sniper has warning about future of terror group
An admitted Canadian ISIS sniper held in one of northeast Syria’s highest-security prisons has issued a stark warning about the potential resurgence of the terror group.
Is a phone for your kid on the holiday shopping list? Read this first
Many families may be considering giving their children their first device with direct access to the internet and social media, but there are some concerns.
It's time for a good movie this holiday season, here's what's new in theatres
This holiday season has a special edition at the theatres with movies "that everyone has been waiting for," says a movie expert from Ottawa.
Poilievre suggests Trudeau is too weak to engage with Trump, Ford won't go there
While federal Conservative Leader Pierre Poilievre has taken aim at Prime Minister Justin Trudeau this week, calling him too 'weak' to engage with U.S. president-elect Donald Trump, Ontario Premier Doug Ford declined to echo the characterization in an exclusive Canadian broadcast interview set to air this Sunday on CTV's Question Period.
Bruce the tiny Vancouver parrot lands internet fame with abstract art
Mononymous painter Bruce has carved a lucrative niche on social media with his abstract artworks, crafted entirely from the colourful juices of fruits.
Why this Toronto man ran so a giant stickman could dance
Colleagues would ask Duncan McCabe if he was training for a marathon, but, really, the 32-year-old accountant was committing multiple hours of his week, for 10 months, to stylistically run on the same few streets in Toronto's west end with absolutely no race in mind. It was all for the sake of creating a seconds-long animation of a dancing stickman for Strava.
Former Ont. teacher charged with sexually assaulting a teen nearly 50 years ago
A senior from Clearview Township faces charges in connection with an investigation into a sexual assault involving a teen nearly 50 years ago.