The largest school board in Canada and others in North America have received rescue demands related to the massive breach of cybersecurity of schooling that hit during the winter holidays, this after the company asked the computer pirates to eliminate stolen data.
Despite the guarantees that the data was eliminated, it turns out that this is not the case, the Toronto District School Board (TDSB) said Wednesday.
The Board said in an email to the families on Wednesday that he had received a rescue demand “from a threat actor” using data of the December 2024 violation.
The Peel District School Board, west of Toronto, and the Calgary Education Board, the largest in the west of Canada, also alerted families about the extortion attempts used by the data, which was stolen after an account of powers of powers used to provide technical support was compromised.
School divisions just throughout Canada, in Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nueva Scotia, Northwest Territories, Prince Eduardo and Saskatchewan island, mainly use the system based on the California company website for Administer personal and sometimes medical information, grades and other details. Some use it as a portal to communicate with families.
In the violation, different types of data were accessed, in some cases in decades. Depending on the Board, that could have included names, birth dates, house address and telephone numbers. In other cases, it could have been exposed even more personal information, such as student identification numbers, gender, medical information and emergency contacts.
The company said Wednesday that its decision to pay the rescue had been difficult. The company did not say how much it paid.
“We believe it was the best for our clients and the students and communities we serve,” said the company in a statement, adding that the new rescue demands have already informed us of the Canadian police.
“We sincerely regret these developments: it hurts that our clients are being threatened and revicted.”
Both the Toronto and Calgary boards again encouraged families to carry out the offer of credit monitoring and identity protection services of Powerschool.
‘Some serious damage’
This last development is a “worst of cases that come true,” said the technology analyst Carmi Levy from London, Ontario.
“Every time a rescue is paid, that is the risk that runs and, unfortunately, in this case, they bet and lost.”
The data, including student information, have a high value for cybercriminals, which can combine it with stolen details in other infractions to create a more satisfied package to be used for identity theft or financial attacks, says Levy.
“Even something as harmless as the address of the house where we grew up or the names of our teachers when we were children can be used to access other accounts that are currently important, such as our bank accounts,” he said.
“These are very harmful, highly personal data and, in the hands of a cybercriminal, they can cause serious damage.”
More security, better necessary communication
When it comes to cybersecurity, “the attackers only have to succeed once and the defenders have to succeed … all the time,” said Charles Finlay, executive director of the Cyber Secure Catalizer of Rogers at the Metropolitan University of Toronto.
He says that there are many school boards to improve the way they ensure the data entrusted to them and make cyber attacks “as difficult as possible and that these events are as rare as possible.”
For Toronto’s father, Jack Ammendolia would also appreciate the school boards that send clear, honest and more regular updates.
He has a child in grade 2 and has been following the Electronic TDSB emails about this and other infractions for years.
“At this point, I think you begin to lose confidence in those guarantees,” he said. “They have passed sometimes.” The board was reached by another cyber attack in August.
Ammendolia reported that the violation of the School of Power to the Information and Privacy Commissioner of Ontario as an individual, for example, and says that since then he received an update that included some of the TDSB efforts to improve his data safety.
He says that this is information that should be widely shared with all parents, not only those who communicated with the privacy commissioner.
He says that no one expects schools to avoid each cyber attack, but “I hope there may be things to reduce the incidence rate [and] Just let parents know “more about them.
