Students' private info stolen in Huron-Superior cyberattack

The Huron-Superior Catholic District School Board is warning current and former students that their private information — including dates of birth, health card numbers, photographs and citizenship status — was stolen during a recent cyberattack that crippled the board’s computer systems shortly before Christmas.

Students across the region started receiving letters in the mail Monday that confirmed — for the first time — that their personal information was accessed by hackers during the ransomware attack that occurred nearly five months ago. Signed by director of education Danny Viotto and board chair Gary Trembinski, the letters also “apologize” to students for being put “in this situation.”

“The board has recently concluded its investigation into the incident,” the letters read. “Unfortunately, we are writing today to advise you that your personal information has been impacted as a result of this incident.”

“The cyber criminals have communicated that the data they accessed has been deleted,” the letters continue. “We have no reason to believe that the cyber criminals have kept or misused the data in any way, though if you have reason to believe otherwise, please let us know.”

“Once again, we apologize that you find yourself in this situation…This has been a very difficult matter for the Board, and we are continuing to strengthen our defences as we strive to put this matter behind us.”

Multiple parents reached out tonight to SooToday to express concern about the letters. It is not clear how many students received one, but SooToday has confirmed that various versions were sent to both current students and recent graduates.

A spokesman for the school board said more information will be released on Tuesday. At this point, it is not clear how many students received a letter.

"As the public is aware, the Board experienced a cyber security incident last December," Jim Fitzpatrick wrote Tuesday morning in an email to SooToday. "Our investigation included analyzing data to determine who was affected and how, and last week we were able to send notification letters to affected families."

When the board’s computer and phone systems were breached on Dec. 15, the hackers sent a type-written note through printers and photocopiers at both the board office and numerous schools, demanding a “modest royalty” in exchange for the scores of data they had just encrypted.

“If you are reading this, it means that your system were hit by Royal,” said the note, which went on to tease the board for being vulnerable to such an attack. “[L]ikely what happened was that you decided to save money on your security.”

The note said the board’s “critical data was not only encrypted but also copied,” allowing it to be published online for “anyone on the internet to read.”

“Fortunately, we got you covered!” the note continued, in a mocking tone. For a “modest ransom,” the hackers promised to restore the system back to normal.

“To put it simply, your files will be decrypted, your data restored and kept confidential,” the note said. “Try Royal today and enter the new world of data security! We are looking forward to hearing from you soon!”

Although the note demanded a ransom, the hackers did not initially provide a dollar figure. To date, the school board has refused to say whether or not it paid a ransom to retrieve any data; officials have only confirmed that the attack was a costly one, forcing the board to operate with a $325,000 deficit for its 2022-2023 budget.

Details of the cyber incident have trickled out slowly over the past five months. In a statement released in January, the board admitted that the attack resulted in the theft of a “significant number of files” from a board server, including social insurance numbers and banking information for staff members employed between 2019 and 2022. Staff and recent retirees were given the option to sign up for credit monitoring at the board's expense.

The statement went on to say that "some students and parents will likely be affected by the incident, though it will take the Board time to analyze data to determine who is affected and to what extent. We will continue to be transparent and will notify those affected as appropriate and in light of our findings."

As the letters make clear, the board has since concluded that students' personal data was indeed compromised in the attack. This marks the first official confirmation from school board officials that the hackers stole sensitive student information.

"As a result of this incident, the Board has made a number of improvements to our security program, including the adoption of multi-factor authentication, strengthening our password policy, adopting more restrictive network settings and implementing new and more powerful network monitoring software," reads the letter sent to students. "If you have any questions, we ask you that you please direct them to [email protected] and we will do our best to provide you with a prompt and accurate response."