BC Freedom of Information and Privacy Association
Your Data Your Rights
If you were a student or staff member with Brant Haldimand Norfolk Catholic District School Board in the last decade and a half, hackers may have accessed your address, phone number and social insurance number (SIN).
Last month, the board notified parents it was part of a widespread data breach affecting dozens of school boards across Canada and the U.S. who use PowerSchool, a third-party platform that manages a range of student and staff details, like personal contact information, marks and class schedules.
At that time, the board said it was waiting on investigation results before sharing specific details.
On Monday, it revealed the breach involved student and staff records going back to Sept. 1, 2009.
The compromised information included: students’ names, addresses, birthdates, phone numbers, guardian and emergency contact names and numbers, OENs (Ontario Education Number) and medical conditions, according to a letter the board sent to staff and students on Feb. 3.
Board employees with PowerSchool accounts may have had their names, addresses, employee numbers, and — in “less than 135” instances — SIN numbers accessed.
Current students and teachers that have been affected have received “direct notification” of the breach, but the board is relying on “indirect communication” for former students, a spokesperson told The Spectator.
Banking and credit-card information, personal phone numbers of staff, student grades and individual education plans were not compromised, the board said.
Why would a hacker want this information?
If someone is trying to “phish someone” or get into their email account, these details could be useful, according to Gareth Mott, a research fellow at the Royal United Services Institute (RUSI) for defence and security studies.
But, it’s not “massively sensitive” information, because many people already have their basic details somewhere online, he said.
But, as an example, cybercriminals could leverage this information — for instance by cold-calling parents — to put more pressure on victim organizations to pay a ransom, Mott said.
What happened to the accessed data?
PowerSchool “received confirmation” that the hacker deleted the data and it wasn’t posted anywhere online, according to the board’s website.
However, Mott cautioned there isn’t really a conclusive way to confirm this, so it means “relying on the word of the criminal.”
He pointed to a massive takedown by law enforcement of ransomware-as-a-service provider LockBit, last year.
“One of the things that they found was that the LockBit operators weren’t deleting the data when they said they were going to,” he said.
Instead, they collected the ransom and, while they didn’t release the data, in many cases they kept it, possibly to use to go back to the victim organization for future extortion, he said.
What can you do if your information was impacted?
The board said it “continues to take this incident very seriously” and is working with PowerSchool to “ensure an incident like this does not happen again in the future.”
It plans to continue using PowerSchool at this time, but is working with “industry experts” to review data-retention practices and how it protects personal information.
Courtesy of PowerSchool, current and past students and staff have until May 30 to sign up for two years of identity protection services with Experian, and credit monitoring services through TransUnion, according to the board’s website.
This is a common practice in cybersecurity incidents. For folks who are feeling nervous about their data, it could also be reassuring to speak with an independent third party to get a better understanding of where the data is, what the risk exposure is, or whether their credit score has been or will be impacted, Mott said.
For more information, or to sign up for identity protection or credit monitoring services, visit 1.bhncdsb.ca/powerschool-cyber-incident.
Celeste Percy-Beauregard’s reporting is funded by the Canadian government through its Local Journalism Initiative. The funding allows her to report on stories about Brant County. Reach her at cpercybeauregard@torstar.ca.
The Local Journalism Initiative (LJI) is a federally funded program to add coverage in under-covered areas or on under-covered issues. This content is created and submitted by participating publishers and is not edited. Access can also be gained by registering and logging in at: https://lji-ijl.ca
You can support trusted and verified news content like this.
FIPA’s news monitor subscribers, donors and funders help make these available to everyone rather than behind a paywall. We appreciate every contribution because it makes a difference.
If you found this article interesting and useful, please consider contributing here.
