Cyber security expert weighs in on data breach at Waterloo public school board


The Waterloo County Public School Board has offered few public details about what it calls “cyber incidents” that affected its IT system, but one cybersecurity expert says the breach is troubling.

The state school board said it was targeted by a criminal group and confirmed data was stolen. The board has not yet stated what data was taken.

But Dehghantanha, a professor of cybersecurity at the University of Guelph, said because the school board collects a lot of personal information, his biggest concern about a cyber breach is identity theft and that people’s private information could be used for social engineering attacks.

“If I know your child’s name, your child’s school, maybe even your children’s grades, they can probably set up very interesting and sophisticated attacks and steal a lot of information from you,” he said. “Having that private information could give attackers an advantage.”

Dehghantanha said the impact of identity theft can be long-lasting.

“Imagine if they could steal information, like a SIN number from a minor, keep it for a while until they reach a certain age, and then start abusing it. That would be a really, really difficult case to investigate.”

However, he said that if someone’s information might be compromised, they might not have to worry just yet. He suggested keeping a close eye on financial transactions and being wary of receiving random calls.

“We don’t know the extent of the information that was leaked or stolen by the attackers, so we’re not currently in a position to give a good fair estimate of the human impact.”

The school board said Wednesday that it is working to protect people’s personal information, but added that it could be weeks before an investigation into how it happened and what was stolen is complete.

Dehghantanha said the investigation required an examination of how the attackers obtained the information and what they stole.

“Most of these hacker groups take steps to remove their footprints,” he said. “That’s why the investigation would be very complicated.”

He recommends that businesses and corporations take the necessary steps to protect themselves from hacking, including changing cybersecurity procedures and not storing unnecessary personal data.

“Make sure you have a proper data removal, data destruction policy in place,” Dehghantanha said.

As for users, Dehghantanha said it’s best to only use websites that have two-factor authentication.

“If you make it mandatory, it works 200 times better than the sophistication of your password policy.”

The school board said it expects to release more information about the cyber incidents early next week.

Comments are closed.