Waterloo public board confirms student database also accessed in cyberattack

The Waterloo Region District School Board (WRDSB) says an investigation into a cyberattack in July has found that databases containing the personal information ofsome students was accessed along with current and past employees.

In July, the school board said it was notified of unauthorized access to its IT system. The Ontario Provincial Policelaunched an investigation,alongside the school board'sowninternal team,and the school board released the findings late Friday afternoon.

"We recently had an investigation finalized and that investigation let us know for certain that databases containing personnel information as well as one small student database was accessed," Eusis Dougan-McKenzie, the school board's chief communications officer told CBC Kitchener-Waterloo.

Dougan-McKenzie said it was still trying to figure out exactly what student information was compromised.

Staffing data dating back to 1970

"This cyber intrusion disrupted our operations, and WRDSB responded immediately by engaging cyber security experts and prioritizing a full return of our operational functions," wrote Dougan-McKenziein a blog postpublished Friday.

However, when asked about how many employees were impacted by the breach,Dougan-McKenzie said that information was not readily available due to lingeringeffects of the cyber attack.

The school board said cyber attackers illegallyaccessed a restricted drive that contained sensitive,personal information of all current and past employees dating back to 1970. These files were related to payroll and benefits andincluded names, birthdates, banking information andsocial insurance numbers.

The payment history for employees dating back to 2012was also accessed.

The school board said certain student information was accessed, though the full scope of that is unclear. It said it's continuing to investigate and will provide more information once it's available.

The school board said it will contact impacted people if more information is discovered at a later date.

It said that it has recovered all the data and received assurance that any data taken as part of the cyberattack has been deleted.

Next steps

As a result of the cyber attack, some employees were told to expect late payments.

"It has been difficult, especially for staff both those waiting on payments and records of employment and those who were working on resolving this issue," Dougan-McKenzie added.

The school board said it's taking additional measures to strengthen its systems.

It said it's going to invest in leading technologies to protect systems and data from cyber attacks, with the help of its internal IT team and external IT experts.

The school board the Privacy Commissioner Of Ontario has been notified of the incident and people can file a complaint online.

"[The school board] wishes to emphasize that we are treating this matter with the utmost concern and apologize for any inconvenience this incident may have caused," the school board's statement said.