The Huron-Superior Catholic District School Board isn't saying whether or not it has forked over a ransom to cyber-attackers after a new yet already notorious form of ransomware was used to infiltrate a server and steal what the board calls a “significant number of files” — including social insurance numbers and banking information for teachers and board staff — in an attack which hijacked the board’s communications systems and shut down English Catholic schools across northeastern Ontario just before the Christmas break.
“We are not providing further comment on account of security concerns,” said board spokesperson Jim Fitzpatrick via email Wednesday, after SooToday reached out to education director Danny Viotto to ask whether a ransom has been paid by the board — and if so, how much money was surrendered to attackers.
Hackers sent a type-written note through printers and photocopiers at both the board office and numerous schools when the school board’s computer and phone systems were breached Dec. 15.
SooToday obtained a copy of the note, which confirms that the board’s computer network was hit by Royal ransomware — encrypting its critical data and holding it hostage until a “modest royalty” is paid out.
The dollar amount of the ransom demand was not specified in the letter, but it did contain a link for the board to communicate with the attackers.
Hackers have since informed the board that they have deleted the seized files, which exposed private information — including social insurance numbers, banking information and other personal information including date of birth — of staff members employed by the board during the 2019, 2020, 2021 and 2022 tax years.
In a statement issued Tuesday, Huron-Superior Catholic District School Board says it will provide affected employees with two years of two-year credit monitoring service that will allow staff to check for signs of identity fraud.
The president of the Huron-Superior Ontario English Catholic Teachers' Association — the union representing teachers employed by the school board — says concerns over the theft of personal information are being raised by several of its members.
“Although the local is certainly appreciative of the fact the board will be providing two years of a credit monitoring service at no charge, there is still concern that personal information may be used in other ways,” said Darrell Czop in an email to SooToday. “The association has been working with the board in regards to what can be done to reduce the possibility of identity theft as well as any other misuse of personal information.”
The cybersecurity arm of the U.S. Department of Health and Human Services recently issued a report alerting the healthcare sector to ransomware attacks by Royal, which has been known to issue ransom demands ranging between US$250,000 and US$2 million since the form of ransomware was first observed in September 2022.