WATERLOO REGION — A cyberattack on the public school board gave thieves access to employee names, birthdates, banking information, and social insurance numbers for anyone who has worked for the board since 1970.
Thieves were also able to access the paycheque history of all employees for the past decade and “certain student information” the board has yet to specify.
It’s the first admission by the school board of the extent of personal information stolen in the July cyberattack.
“We are still actively investigating the full scope of the impact on student information, and we will be providing an update once we know more,” the Waterloo Region District School Board said Friday in a statement.
The board first noticed an issue July 10. It did not notify staff for another week after realizing the attackers may have obtained data.
The cyberattack left the board unable to pay some employees later in July, and unable to provide employment records needed by others to file employment insurance claims.
Former employees are “very, very concerned because their identity is at risk,” said Richard Clausi, a retired math teacher who is president of a local chapter of retired school employees.
Retired employees are puzzled the board kept their personal information for so long. They want more details on how the theft happened. They want better communication and extended credit monitoring to guard against identity theft, Clausi said.
Retirees have heard stories about fraud victims who had homes sold out from under them. They have heard about names being used to create fake credit cards.
“Identity theft is a pretty serious thing,” said Clausi, who has complained to Ontario’s privacy commissioner.
Experts have said the intent may have been to steal identities. Personal information such as social insurance numbers, bank account details, credit card numbers, and dates of birth can be used to create credit cards, loans or bank accounts.
The board is providing employees with one year of complimentary credit monitoring.
It has hired forensic experts to investigate what was stolen and says it intends to release new details as they are confirmed.
“It has been difficult, especially for staff both those waiting on payments and records of employment and those who were working on resolving this issue,” said Eusis Dougan-McKenzie, spokesperson for the board.
The board says it has recovered personal data accessed in the attack and is investing in “leading technologies to protect our systems and data from ever-growing cybersecurity threats.”
Ontario’s information and privacy commissioner has been notified. Complaints to the commissioner can be filed through the privacy office at ipc.on.ca.
The board did not respond to questions or requests for comment after releasing a statement Friday.
It said “the attackers unlawfully accessed a restricted network drive that contained sensitive personal information related to payroll and benefits administration. These files included the names, birthdates, banking information, and social insurance numbers of all current and past employees dating back to 1970. The payment history for employees dating back to 2012 was also included.”
WATERLOO REGION — A cyberattack on the public school board gave thieves access to employee names, birthdates, banking information, and social insurance numbers for anyone who has worked for the board since 1970.
Thieves were also able to access the paycheque history of all employees for the past decade and “certain student information” the board has yet to specify.
It’s the first admission by the school board of the extent of personal information stolen in the July cyberattack.
“We are still actively investigating the full scope of the impact on student information, and we will be providing an update once we know more,” the Waterloo Region District School Board said Friday in a statement.
The board first noticed an issue July 10. It did not notify staff for another week after realizing the attackers may have obtained data.
The cyberattack left the board unable to pay some employees later in July, and unable to provide employment records needed by others to file employment insurance claims.
Former employees are “very, very concerned because their identity is at risk,” said Richard Clausi, a retired math teacher who is president of a local chapter of retired school employees.
Retired employees are puzzled the board kept their personal information for so long. They want more details on how the theft happened. They want better communication and extended credit monitoring to guard against identity theft, Clausi said.
Retirees have heard stories about fraud victims who had homes sold out from under them. They have heard about names being used to create fake credit cards.
“Identity theft is a pretty serious thing,” said Clausi, who has complained to Ontario’s privacy commissioner.
Experts have said the intent may have been to steal identities. Personal information such as social insurance numbers, bank account details, credit card numbers, and dates of birth can be used to create credit cards, loans or bank accounts.
The board is providing employees with one year of complimentary credit monitoring.
It has hired forensic experts to investigate what was stolen and says it intends to release new details as they are confirmed.
“It has been difficult, especially for staff both those waiting on payments and records of employment and those who were working on resolving this issue,” said Eusis Dougan-McKenzie, spokesperson for the board.
The board says it has recovered personal data accessed in the attack and is investing in “leading technologies to protect our systems and data from ever-growing cybersecurity threats.”
Ontario’s information and privacy commissioner has been notified. Complaints to the commissioner can be filed through the privacy office at ipc.on.ca.
The board did not respond to questions or requests for comment after releasing a statement Friday.
It said “the attackers unlawfully accessed a restricted network drive that contained sensitive personal information related to payroll and benefits administration. These files included the names, birthdates, banking information, and social insurance numbers of all current and past employees dating back to 1970. The payment history for employees dating back to 2012 was also included.”