The Huron-Superior Catholic District School Board says it “worked diligently” to respond to a December cyberattack that wreaked havoc on its computer network and “has been transparent” with students, families and employees throughout the five-month ordeal.
In a new statement released this afternoon, the board also says it learned important lessons from the attack, implemented stronger cybersecurity defences, and is looking forward to putting “this difficult matter behind us.”
The statement comes after SooToday first reported last night that the school board has mailed letters to an undisclosed number of students and recent graduates, warning them that their personal information — including dates of birth, health card numbers, photographs and citizenship status — was compromised in the high-profile ransomware attack.
In January, the school board disclosed that the hackers stole a “significant number of files” from a board server, including social insurance numbers and banking information for staff members employed between 2019 and 2022. At the time, the board also said “some students and parents will likely be affected" but that it would take time to analyze the data.
The letters mailed out last week confirm — for the first time — that sensitive student files were indeed compromised.
The board will not say how many students received a letter. It will also not disclose whether a ransom was paid to retrieve any of the stolen data.
Below is the full statement posted this afternoon on the website of the Huron-Superior Catholic District School Board:
To whom it may concern:
We are providing further information about the cyber incident that we first announced on December 15, 2022.
The Board has worked diligently in responding to the incident and has been transparent in its approach.
We announced the incident on the day it first came to our attention. Later, in early January, we announced that certain employees were affected and provided individual notices to that group of employees later in the month. At the same time, we announced that further analysis of data was required, and that we would notify families of affected students in time.
Over the past several weeks we have been notifying affected students and parents as well as some employees that we did not know were affected until completing our data analysis. We offered credit monitoring services to individuals as warranted and based on the type of information exposed. As directed, individuals with questions should contact the Board via at the following email address [email protected]
Delivering the notices was a major milestone in putting this difficult matter behind us. We have learned from it and are continuing to strengthen our defences. Security concerns themselves limit our ability to say more, but we would like our community to know that our efforts are multi-faceted, improve our defences against phishing attacks, and enhance our ability to detect intrusions should they occur.
We are confident that we are better protected from the significant cyber security risks which face school boards across the province today.
Sincerely,
Danny Viotto, Director of Education
Gary Trembinski, Board Chairperson