Children whose personal information was stolen in a cyberattack against a Winnipeg school division will be at risk of identity theft or financial fraud well into their adult years, tech analysts told the Free Press.
Databases with Pembina Trails School Division students’ names, birthdates, genders, addresses, personal health identification numbers and photos were leaked on the dark web by a hacker group.
“Over the years, (the data) can be consolidated with financial information, tax information, passport information, whatever, as that data gets created and also gets breached or scoured from websites or social media platforms,” said London, Ont.-based cybersecurity analyst Carmi Levy.
“It has a long memory, and kids will be potentially victimizable as adults. I don’t mean to scare you… but it’s like a long tail-type risk which extends out years, if not decades, as new information is added to the old.”
Personal details of students and staff, plus parent and guardian contact details, were stolen in a ransomware attack Dec. 2. A staff payroll database could have been accessed.
The risk for students and employees will never truly go away, said Levy and Ritesh Kotak, a cybersecurity analyst in Toronto.
“Once your information is out there, it is out there,” Kotak said. “There are aggregators out there that are combining all this information and creating profiles so they can target individuals for fraud.”
The hacker group, which calls itself Rhysida, published a large volume of files on the dark web, after trying to sell the data for 15 bitcoins ($1.7 million at Friday’s exchange rates). Pembina Trails did not pay a ransom demand.
Kotak and Levy encouraged students, parents and staff to be vigilant in case scammers target them via email, traditional mail, texts, social media messages or phone calls.
Scammers could pose as a bank, government, employer or other entities.
“If you get messages that seem personal where individuals are targeting you, claiming to know certain specific information, you’ve got to hit the pause button and validate and verify before giving out any personal information,” Kotak said.
Pembina Trails advised parents to be cautious when they receive correspondence or calls that appear to be from the division, claim to be related to the cyberattack or their child or request personal information.
Pembina Trails is covering three years of credit monitoring for current and former employees whose information is in the payroll database that could have been accessed.
Identity theft and credit monitoring services are an option for minors and parents, Kotak and Levy said. The services generally require a monthly fee.
Services that alert people when their information is found on the dark web vary in effectiveness, he said.
Dozens of Canadian schools or universities have been hit by ransomware attacks.
Levy said Canadian school divisions need more funding for cybersecurity.
“Even if they want to be more cybersecure and have a better cybersecurity posture, they’re not being given resources to invest in better and proactive protections,” he said.
Education Minister Tracy Schmidt said the NDP government increased funding for school divisions this year and last, after a “freeze” by the former Tory government.
“We know school divisions need more funds to address all of their priorities, including security,” she said. “We will certainly move forward and take whatever lessons we can from this incident to make sure things like this are prevented from happening in the future as much as possible.”
No one is immune to these types of cyberattacks, Schmidt said.
A separate attack in December targeted U.S.-based PowerSchool, whose student data management system is used by most Manitoba divisions to track registration, grades and other information.
The Tories, when in government, planned a centralized database.
The NDP scrapped the $50-million plan after being elected in 2023, drawing criticism from the Progressive Conservatives, who claimed a centralized database would better protect data.
Interim PC leader and former education minister Wayne Ewasko claimed the NDP’s cybersecurity measures or comments do not instil confidence.
“There are many things we were doing as a government that should have kept rolling when we lost government, but the NDP feel that it’s their obligation to wipe everything out, and try to re-announce things,” he said.
Schmidt said there is “no proof” using one system would provide additional security.
Divisions have the autonomy to decide which systems they want to use, she said.
The NDP is working on a new education dashboard that draws on existing resources. Schmidt has claimed it will be a more efficient way to improve data collection.
chris.kitching@freepress.mb.ca
Chris Kitching
Reporter
Chris Kitching is a general assignment reporter at the Free Press. He began his newspaper career in 2001, with stops in Winnipeg, Toronto and London, England, along the way. After returning to Winnipeg, he joined the Free Press in 2021, and now covers a little bit of everything for the newspaper. Read more about Chris.
Every piece of reporting Chris produces is reviewed by an editing team before it is posted online or published in print — part of the Free Press‘s tradition, since 1872, of producing reliable independent journalism. Read more about Free Press’s history and mandate, and learn how our newsroom operates.
Our newsroom depends on a growing audience of readers to power our journalism. If you are not a paid reader, please consider becoming a subscriber.
Our newsroom depends on its audience of readers to power our journalism. Thank you for your support.
