In July the Waterloo Region District Schoolboard was the victim of illegal cyber crime when attackers gained unauthorized access to the board’s information technology system.
The attackers gained access to the personal information of current and past employees, as well as students.
The information they gained about employees included names, birthdates, banking information and social insurance numbers of current and past employees back to 1970. Payment history to 2012 was also accessed.
One retired teacher from Elmira District Secondary School, Richard Clausi, is demanding the school board take stronger actions to protect retirees whose data was stolen. Clausi is the Chapter 24 president of the Active Retired Members of Ontario Secondary School Teachers’ Federation.
“Our members are really, really concerned. ARM chapter 24 represents retirees, and I had one person say, ‘when I retired, I returned my key, my security card and all that stuff. And I assumed that the board would reciprocate with our personal data, or at least encrypt it, archive it, safeguard it offline,’” he said.
“I genuinely sympathize with where (the school board) is at. But that doesn’t correct the fact that we have a problem.”
In a blog post, school board staff announced the data breach and said, “we have recovered the data, and we have received assurance that any data taken as part of the cyber intrusion has been deleted.”
But Clausi is not so sure. “Data is funny,” he said. “It’s tangible. But the strange thing is that a copy is every bit as good as the original. It is the original for all intents and purposes, better than a photocopy. It is the original. And so there’s an awful lot of stress out there.”
What Clausi really wants to know is why that 52 years of data was available to be hacked in the first place.
“I retired over 10 years ago. It boggles me that they would hang on to that. Things like social insurance number, date of birth… financial informationthat is part of your digital identity. And, you know, if you wanted to steal somebody’s identity, right there in one little basket they’ve got everything they would need.”
“This whole business of identity theft is really scary,” he said.
Clausi approached the school board with three main asks: that a data lifecycle policy be developed so that sensitive data is no longer stored indefinitely; that retirees be notified of the data breach directly, as many had to find out about it “through the grapevine,” he said; that retirees be granted indefinite credit monitoring, courtesy of the school board. Current and former employees are eligible to sign up for one year of complementary credit monitoring, though Clausi said he believes this is not enough.
The school board has not yet responded for comment.
July’s cyber attack also disrupted the school board’s payment of employees and those waiting for records of employment.
In a release, school board staff stated, “Going forward we are taking a number of additional measures to strengthen our systems. Working in collaboration with our internal IT team and external IT experts, we are continuing to invest in leading technologies to protect our systems and data from ever-growing cybersecurity threats.”
The post also included the link to make a complaint to the Information and Privacy Commissioner of Ontario.