WRDSB retirees say they felt left in the dark after data compromised in cyberattack
This is part two of a two-part series. For a timeline of cyberattack and the wide-ranging impacts it had on Waterloo Region District School Board (WRDSB) operations, read part one here.
In the wake of a cyberattack at the Waterloo Region District School Board (WRDSB) this past summer, some of the people impacted are raising questions about how it was handled.
The data accessed by hackers included details about employees dating back to 1970.
But some of those former employees say getting information about what happened, along with their risks, was difficult.
“We had one or two members almost in tears once they found out on the phone because they're concerned their life savings could be at risk, or they're maybe not in a great financial situation to begin with,” retired Kitchener teacher John Ryrie said.
Ryrie, part of a group of about 200 active retired members, says they largely learned of their risks through the media, leaving them with more questions than answers.
“The information from the board came in dribs and drabs and we were having some difficulty getting a complete picture,” he said.
The board says there was no way to ensure they had up to date contact information for former employees.
“We reached out to media outlets and utilized those media outlets to help us support reaching out,” WRDSB associate director Graham Shantz said. “And through the experts we worked with in this, that is a common approach that is used in situations like this.”
Ryrie says he realizes contacting all former employees is next to impossible, but he still wishes there had been clearer messages from the board.
He says knowing more specifics about what was accessed would have eliminated a lot of stress.
“For example, once I found out credit cards weren't part of the background, I felt some relief,” he explained.
Ryrie adds he was willing to change his bank account information in the aftermath of the attack, but didn’t have enough information to know whether that was necessary.
“That’s the kind of specific information you could deal with if you knew what they had access to or not had access to. And so we go back to exactly what were they able to find out about my history as an employee with the board? And that would have been helpful to have that right up front early, so everybody would know, and they could all go to their banks or their credit unions and do whatever they needed to do to put in further protection,” Ryrie says.
An internal memo announcing the security incident to system leaders at WRDSB reflects the board’s concern that hackers could use media coverage against it or obtain contradictory information from personal post or emails.
The memo includes a statement leaders were instructed to use if asked about the hack by staff, students and families. It reads: “I am aware that the WRDSB has been the victim of a cyber incident and that staff in collaboration with experts are working to resolve the issue and safeguard staff and student information.”
EXPERT ADVOCATES FOR TRANSPARENCY
David Jao, a University of Waterloo professor and member of the Cybersecurity and Privacy Institute, says he believes more transparency was warranted in this case.
“The way to respond correctly, I think, is not to try to hide and minimize yourself as a target,” Jao said.
The initial notification of the security incident, sent to families on July 20, stated, “We know you will have questions or concerns, but we ask that you be patient and hold off contacting us. Once we have more information to share we will make it available to you.”
Jao says most organizations should be as transparent as possible in the aftermath of a cyberattack, and feels the school board should have provided more information on what had happened and how it was being addressed.
“There's certainly, I think, more information that could be provided, and probably should just in the name of good governance. The school board is a public organization, they are a steward of public money. The taxpayers – not just the affected people – but the community as a whole has a right to know what is going on and what you’re doing.”
BOARD SAYS IT'S MAKING CHANGES
Ryrie says it wasn't until several months after the hack that members of the group eventually met with Graham Shantz at the board to get more details and share their concerns, including why former employee information was being kept for so long.
“Part of our concern is that we’re not sure why the board would need to keep that information for 52 years. What I think happened is it was just stored and everybody forgot about it because there was no concern. Well now there is a concern,” Ryrie said.
Shantz says the board is now reevaluating its information retention schedules for former employees.
It's one of a number of changes administrators are considering or already implementing.
“We've made enhancements to our infrastructure, even though we felt we had a very good defensive posture leading up to this incident, there were things that we learned through it and given us the opportunity to improve that infrastructure,” Shantz said.
Shantz says other measures taken include more training for students and staff on how cyber incidents can occur and be prevented in the future.
Retired employees were given one year of free credit monitoring from the board, but Ryrie says some are concerned that’s not enough.
Their group has looked into arranging their own monitoring in the future.
“We're trying to find protections wherever we can in order that our members' financial information is safe,” he said.
The school board says it’s looking at whether the year of free credit monitoring they arranged should be extended beyond this summer, although it says it’s not aware of anyone’s data being improperly used at this point.