Sask. school systems vulnerable to cybersecurity threats, auditor's report says

Saskatchewan's provincial auditor says 13 school divisions are vulnerable to cybersecurity threats.

A report released Tuesday by Tara Clemettfound 13 of 27 school divisions in Saskatchewan "use a key financial IT system managed by a third-party service provider withidentified system vulnerabilitiesthat exposethem to increased cybersecurity risks."

The report said a key IT system used in those school divisions hadoutdated software as of August 2021.

It said while a third party manages the IT system, school divisions are responsible"for managing risks associated with their IT systems and data."

The audit recommended "the Ministry of Education work with impacted school divisions to establish a process to monitor the key financial IT system and the IT service provider."

"Cybersecurity remains a real threat highlighted by the recent breach to the Regina Public Schools IT system," Clemett said Tuesday.

The Regina Public School Division recently had to shut down its internet-based systems, including email and educational tools,because of a cyber attack.

Last month, CBC News reviewed a copy of a note from an organization called BlackCat/ALPHV, which experts say is well known for employing ransomware attacks.

The note alleges that 500 gigabytes of files belonging to Regina Public Schools havebeen encrypted and that the group now possessescopies of data rangingfrom tax reports and health information to passports andsocial insurance numbers.

Clemett said agencies need to be proactive in planning for the scenario they are victims of a ransomware or cyber attack.

"I encourage agencies to always focus on that disaster recovery plannow with ITrisks evolving as fast as they do," Clemett said.

"You are not going to ever be 100 per cent ready or secure. It's a matter of, 'I probably have the potential to be breached and when I am breached, how quickly can I recover?'"

Ministry response to auditor findings

In a statement to CBC, the province said it "takes the recommendations of the provincial auditor seriously and will continue efforts to improve processes to safeguard public resources."

Saskatchewan's Ministry of Education said it expects divisions will work with IT partners to "ensure divisions are receiving standard security reporting from their service provider on a timely basis."

Regarding the cyber attack at Regina Public Schools, thegovernment said"it is our understanding that the division is taking appropriate steps to get the IT system back online safely with support from cybersecurity professionals, and will investigate the attack appropriately."

Recent cyber attacks within government

But cybersecurity threats within government are not limited to school divisions.

In the past two years, breaches have been found at both eHealth and the Saskatchewan Liquor and Gaming Authority.

Clemett said the issue is front of mind for those within government.

"It's definitely something that when I talk to various senior management across government and boards organizations, it's definitely a top key risk. For government and all and many agencies, probably private too."

Clemett said her office has plans to look into cybersecurity in future reports.

On Christmas Day 2021, SLGA experienced a hack of its computer system.

About three weeks after the hack, SLGA warned its employees that their personal data may have been stolen.

On March 22, three months after the hack, SLGA posted an "indirect notification" on its website that a wide range of data belonging to gaming, liquor and marijuana permittees may have been stolen by the hackers. SLGA said that may include medical, criminal, financial, and personal data.

Last month, hackers claimed they had sold some data on the "black market."

In April, then minister responsible for SLGA, Jim Reiter, said the government would not be negotiating with the hackers.

In 2019, a ransomware attack on eHealth affected millions of files.

The auditor's report in June of 2020 examined the IT network and security of eHealth as of August 2019, a few months before the attack.

"If the organization would have dealt with [the issues] earlier and promptly, it would have reduced the risk," then provincial auditor JudyFerguson said."Unfortunately, we're not in a world [where it's] if you will be attacked. It's a matter of when."

In a 2021 report, Saskatchewan's information and privacy commissionerRon Kruzeniskicalled it one of the worst privacy breaches in provincial history.

Last month, cabinet agreed to pay $62.3 million to eHealthtowardIT system and equipmentupgrades.