WRDSB retirees say they felt left in the dark after data compromised in cyberattack
This is part two of a two-part series. For a timeline of cyberattack and the wide-ranging impacts it had on Waterloo Region District School Board (WRDSB) operations, read part one here.
In the wake of a cyberattack at the Waterloo Region District School Board (WRDSB) this past summer, some of the people impacted are raising questions about how it was handled.
The data accessed by hackers included details about employees dating back to 1970.
But some of those former employees say getting information about what happened, along with their risks, was difficult.
“We had one or two members almost in tears once they found out on the phone because they're concerned their life savings could be at risk, or they're maybe not in a great financial situation to begin with,” retired Kitchener teacher John Ryrie said.
Ryrie, part of a group of about 200 active retired members, says they largely learned of their risks through the media, leaving them with more questions than answers.
“The information from the board came in dribs and drabs and we were having some difficulty getting a complete picture,” he said.
The board says there was no way to ensure they had up to date contact information for former employees.
“We reached out to media outlets and utilized those media outlets to help us support reaching out,” WRDSB associate director Graham Shantz said. “And through the experts we worked with in this, that is a common approach that is used in situations like this.”
Retired Kitchener teacher John Ryrie says in the months after the cyberattack, retirees' main source of information about what happened was the media. (CTV Kitchener/Krista Simpson)
Ryrie says he realizes contacting all former employees is next to impossible, but he still wishes there had been clearer messages from the board.
He says knowing more specifics about what was accessed would have eliminated a lot of stress.
“For example, once I found out credit cards weren't part of the background, I felt some relief,” he explained.
Ryrie adds he was willing to change his bank account information in the aftermath of the attack, but didn’t have enough information to know whether that was necessary.
“That’s the kind of specific information you could deal with if you knew what they had access to or not had access to. And so we go back to exactly what were they able to find out about my history as an employee with the board? And that would have been helpful to have that right up front early, so everybody would know, and they could all go to their banks or their credit unions and do whatever they needed to do to put in further protection,” Ryrie says.
An internal memo announcing the security incident to system leaders at WRDSB reflects the board’s concern that hackers could use media coverage against it or obtain contradictory information from personal post or emails.
The memo includes a statement leaders were instructed to use if asked about the hack by staff, students and families. It reads: “I am aware that the WRDSB has been the victim of a cyber incident and that staff in collaboration with experts are working to resolve the issue and safeguard staff and student information.”
EXPERT ADVOCATES FOR TRANSPARENCY
David Jao, a University of Waterloo professor and member of the Cybersecurity and Privacy Institute, says he believes more transparency was warranted in this case.
“The way to respond correctly, I think, is not to try to hide and minimize yourself as a target,” Jao said.
The initial notification of the security incident, sent to families on July 20, stated, “We know you will have questions or concerns, but we ask that you be patient and hold off contacting us. Once we have more information to share we will make it available to you.”
Jao says most organizations should be as transparent as possible in the aftermath of a cyberattack, and feels the school board should have provided more information on what had happened and how it was being addressed.
“There's certainly, I think, more information that could be provided, and probably should just in the name of good governance. The school board is a public organization, they are a steward of public money. The taxpayers – not just the affected people – but the community as a whole has a right to know what is going on and what you’re doing.”
WRDSB associate director Graham Shantz speaks to CTV News Kitchener. (Dan Lauckner/CTV News)
BOARD SAYS IT'S MAKING CHANGES
Ryrie says it wasn't until several months after the hack that members of the group eventually met with Graham Shantz at the board to get more details and share their concerns, including why former employee information was being kept for so long.
“Part of our concern is that we’re not sure why the board would need to keep that information for 52 years. What I think happened is it was just stored and everybody forgot about it because there was no concern. Well now there is a concern,” Ryrie said.
Shantz says the board is now reevaluating its information retention schedules for former employees.
It's one of a number of changes administrators are considering or already implementing.
“We've made enhancements to our infrastructure, even though we felt we had a very good defensive posture leading up to this incident, there were things that we learned through it and given us the opportunity to improve that infrastructure,” Shantz said.
Shantz says other measures taken include more training for students and staff on how cyber incidents can occur and be prevented in the future.
Retired employees were given one year of free credit monitoring from the board, but Ryrie says some are concerned that’s not enough.
Their group has looked into arranging their own monitoring in the future.
“We're trying to find protections wherever we can in order that our members' financial information is safe,” he said.
The school board says it’s looking at whether the year of free credit monitoring they arranged should be extended beyond this summer, although it says it’s not aware of anyone’s data being improperly used at this point.
CTVNews.ca Top Stories
DEVELOPING Man sets self on fire outside New York court where Trump trial underway
A man set himself on fire on Friday outside the New York courthouse where Donald Trump's historic hush-money trial was taking place as jury selection wrapped up, but officials said he did not appear to have been targeting Trump.
Sask. father found guilty of withholding daughter to prevent her from getting COVID-19 vaccine
Michael Gordon Jackson, a Saskatchewan man accused of abducting his daughter to prevent her from getting a COVID-19 vaccine, has been found guilty for contravention of a custody order.
She set out to find a husband in a year. Then she matched with a guy on a dating app on the other side of the world
Scottish comedian Samantha Hannah was working on a comedy show about finding a husband when Toby Hunter came into her life. What happened next surprised them both.
Mandisa, Grammy award-winning 'American Idol' alum, dead at 47
Soulful gospel artist Mandisa, a Grammy-winning singer who got her start as a contestant on 'American Idol' in 2006, has died, according to a statement on her verified social media. She was 47.
'It could be catastrophic': Woman says natural supplement contained hidden painkiller drug
A Manitoba woman thought she found a miracle natural supplement, but said a hidden ingredient wreaked havoc on her health.
Young people 'tortured' if stolen vehicle operations fail, Montreal police tell MPs
One day after a Montreal police officer fired gunshots at a suspect in a stolen vehicle, senior officers were telling parliamentarians that organized crime groups are recruiting people as young as 15 in the city to steal cars so that they can be shipped overseas.
The Body Shop Canada explores sale as demand outpaces inventory: court filing
The Body Shop Canada is exploring a sale as it struggles to get its hands on enough inventory to keep up with "robust" sales after announcing it would file for creditor protection and close 33 stores.
Vicious attack on a dog ends with charges for northern Ont. suspect
Police in Sault Ste. Marie charged a 22-year-old man with animal cruelty following an attack on a dog Thursday morning.
On federal budget, Macklem says 'fiscal track has not changed significantly'
Bank of Canada governor Tiff Macklem says Canada's fiscal position has 'not changed significantly' following the release of the federal government's budget.