Waterloo Area – A cyberattack on a public school board gave thieves access to employee names, dates of birth, bank details and social security numbers of people who had worked for the board since the 1970s.
The thieves were able to access the paycheck history and “certain student information” of every employee over the past decade, which the board has yet to specify.
This is the school board’s first admission to the extent of personal information stolen in July’s cyberattack.
“We are still actively investigating the full extent of the impact on student information and will provide an update as soon as we have more information,” the Waterloo Borough Schools Board said in a statement on Friday.
On July 10, the board noticed a problem for the first time. The attackers did not inform employees for another week after receiving the data.
The cyberattack resulted in the board being unable to pay some employees later in July and unable to provide employment records needed by others to file employment insurance claims.
Experts have said the intent could be to steal identities. Personally identifiable information such as social security numbers, bank account information, credit card numbers, and date of birth may be used to create a credit card, loan, or bank account.
The board offers employees free credit monitoring for a year.
It has hired forensic experts to investigate the theft and intends to release new details as soon as they are confirmed.
“This has become difficult, particularly for employees awaiting payroll and labor records and working to resolve this issue,” said board spokesman Yousis Dougan-McKenzie.
The board says it has recovered personal data accessed in the attack and is “investing in cutting-edge technologies to protect our systems and data from ever-evolving cybersecurity threats.”
The Ontario Information and Privacy Commissioner has been notified. Complaints to the Commissioner can be made through the Privacy Office at ipc.on.ca.
The board says: “The attackers illegally accessed restricted network drives that contained sensitive personal information related to payroll and benefits administration. These files contained the names, dates of birth, bank details, and information of all current and former employees prior to 1970. Social security numbers were included. The payment history of employees before 2012 was also included.