More than two months after first becoming aware of a cyber security incident, the Waterloo Region District Public School Board (WRDSB) has reported the hack to Waterloo Regional Police Service (WRPS).

According to police, they do not have an exact date, but said the report was made “recently.”

Previously the school board stated that the OPP Cyber Unit had been notified.

The OPP told CTV News: “Despite the response you received from the Waterloo District School Board, I have confirmed the following: If the school board has or were to report this incident it would need to be to the WRPS who would take the lead of an investigation. Sometimes in these cases, OPP will assist but only in a supporting role,” said OPP Acting Sergeant Erin Cranton.

CTV News reached out to WRDSB for clarification.

In an emailed statement the board reiterated that they reported the incident to OPP in July.

“A standard process recommended by the cyber experts was followed. Then additional information was reported to law enforcement both provincial and local,” the board said.

When asked why WRDSB waited until recently to report the incident to Waterloo regional police, the board did not answer.

CTV News also requested an interview with WRDSB, but no one from the board has been made available.

Both the Information and Privacy Commissioner of Ontario, and the Ministry of Education say they have been notified of the incident.

The full extent of the hack is not known.

In August, WRDSB confirmed "attackers accessed a restricted network drive that contained sensitive personal information related to payroll and benefits administration.”

Included in the drive were names, birthdates, banking information, and social insurance numbers of all current and past employees dating back to 1970.

The payroll history of employees dating back to 2012 was also accessed.

The board confirmed that it was the target of a criminal group, and several additional measures are being taken going forward to strengthen their system.

It was later revealed some staff were unable to access their EI due to the breach.

When it comes to student data, the board said it still is not sure what information was taken.

As of Aug. 29, WRDSB said the analysis is not complete, adding this is labour-intensive work that takes weeks.


A previous version of this story incorrectly stated it has been more than three months since the school board first became aware of the cyber incident on July 10. In fact, it has been more than two months since July 10.