Forensic report on data breach at DDSB’s Whitby HQ show “no evidence” personal data stolen

By

Published March 9, 2023 at 10:03 am

A forensic investigation into last November’s data breach at the Durham District School Board has found “no evidence” that student or employee personal information was accessed or stolen.

In the early morning of November 25, 2022, IT Services staff discovered that network servers were inaccessible. “Suspicious activities” were later observed, leading to the network being taken offline for security, containment and investigation.

External IT consultants, including a forensic IT specialist company, were then called in to assist and to implement additional security measures, including multi-factor authentication, stronger password requirements and continual network and endpoint monitoring through a new Security Operations Centre.

“The network and associated data were largely restored from backups and there has since been no evidence of further malicious activity or re-entry into the network,” read a statement signed by Camille Williams-Taylor (Director of Education), David Wright (Associate Director, Corporate Services) and Jim Markovski (Associate Director, Equitable Education).

The investigation revealed that the culprit was malware introduced through a phishing email message sent to a board employee. Once the malware was embedded, it moved laterally through the network, eventually compromising administrator accounts, which enabled the originator to encrypt much of the network.

Schools remained open and in-person learning was not suspended. However, the board’s virtual school program (DDSB@Home) was inaccessible to students for three days. There were also some device and network issues while the security efforts were underway.

The servers and systems were largely restored by December 7.

The forensic investigation found that it was unlikely that personal data was compromised, given there was no proof of data theft and the board said they have no plans to issue any individual notifications.

The cyber incident did highlight a number of areas of improvement required in security and network operations, Williams-Taylor, Wright and Markovski said. “Significant progress has been made fortifying the DDSB network, and efforts in this regard will be ongoing.”

The incident also shined a light on the important role that technology plays in delivering learning for more 75,000 students, the board declared. “We are working on developing further contingency plans to support school and business operations should the network need to be taken offline in the future, even if just for a short amount of time.

“Although efforts were already underway prior to the cyber incident to strengthen the DDSB network, we are also working quickly to implement additional security measures to help prevent something like this from happening again.”

The incident was reported to the Information and Privacy Commissioner of Ontario, the province’s Cyber Security Operations Centre, the Ontario Provincial Police and the Ministry of Education.

Though the network did appear to be compromised by ransomware, a ransom demand was neither made, nor was any ransom paid. There was no claim of data theft and there is no evidence showing that the originator accessed or stole employee or student personal information.

Monitoring post-incident has showed no evidence of malicious activity, and no additional indicators that the originators of the incident ever returned to the network.

The cyber incident final report is available to the public.

indurham's Editorial Standards and Policies advertising