Manitoba

Mother 'livid' after learning children's personal info may have been exposed in cyberattack

A mother of three foster children says she wasn't told their personal information could be at risk until a week after a cyberattack on the child welfare authority responsible for them.

Parent says it took a week to be told of breach; child welfare authority says no evidence private data taken

The Southern First Nations Network of Care was the victim of a Nov. 21 cyberattack, which has rendered its entire internal IT system unusable. It's unclear at this point what, if any, information was compromised. (Tyson Koschik/CBC)

A mother of three children in foster care says she wasn't told their personal information could be at risk until a week after a cyberattack on the child welfare authority responsible for them.

"I was in shock," said the woman, who CBC News is not naming in order to protect the identity of her children. "I was livid. Why wasn't I notified immediately?" 

The mother said her child and family services worker told her that any details she's ever provided to the agency about her or her children might be vulnerable, following a Nov. 21 ransomware attack on the Southern First Nations Network of Care (SFNNC).

The SFNNC authority oversees the care of more than 5,000 foster children in southern Manitoba through 10 Child and Family Services (CFS) agencies.

"She said they don't [know] exactly what was leaked ... but to be aware that all information may be out there, such as what's happening in court ... plus their birthdays, plus my information, my address, my number, email correspondence," she said.

"I was quite taken aback."

For nearly two weeks, the ransomware attack has rendered the Southern First Nations Network's entire internal IT system completely unusable. The IT network is used by eight of its 10 child agencies for everything from emailing about foster cases to tracking financial information.

While the attack has locked the system, it's unclear at this point what, if any, information was compromised.

Told to watch email, bank accounts

The mother said a child and family services worker took her aside during a regular visitation with her son on Nov. 29, eight days after the ransomware attack had occurred.

"She said, 'I've got some bad news.' I was thinking … it was in regards to visitations."

Instead, the worker revealed the attack.

"She said, 'Your information, along with children's information, is at risk. And how much information, we can't confirm yet.'"

This mother of three children in foster care said she's been told that any of the information she has provided to the child welfare authority may be at risk. CBC News is not revealing her name to protect the identity of her children. (Walther Bernal/CBC)

The mother said she regularly uses email to correspond with CFS workers, and the Southern Authority has "pretty much everything" on her and her children since they've been in their care.

"I gave over full identification, birth certificates, my [social insurance number], employment status — everything on me, I gave to them to co-operate," she said.

The CFS worker told her to keep an eye on her bank statements, and watch out for "weird" emails or calls.

"This could affect my children's future," she said. "It's affected me mentally already — I'm stressed out," she said.

The Southern First Nations Network of Care held a press conference Sunday, Nov. 24, to talk about the ransomware attack on its internal IT system. The authority has not given any updates since then. (Travis Golby/CBC)

The mother said she wasn't told how or when she would get more information on the situation.

"I don't know what's being done with my information, but it's a violation of my personal information, and my children's personal information. And I don't take that lightly."

'No evidence' data has been taken

CBC News had made multiple requests to the Southern First Nations Network of Care for more details or updates on the investigation, but has not received a response.

A written statement was provided by Diane Kelly, director for child and family services with the Southern Chiefs' Organization, which oversees and appoints the board of the Southern First Nations Network of Care.

"There is no evidence at this time of personal data, of any kind, being taken and or manipulated in any way," Kelly wrote in the statement sent to CBC News.

Diane Kelly is director for child and family services with the Southern Chiefs' Organization, which oversees and appoints the board of the Southern First Nations Network of Care. She says there's no evidence that any personal data has been taken. (Trevor Brine/CBC)

"Our agencies' [data] has been encrypted and cannot be accessed," she said. Kelly would not say when the data was encrypted.

"We have a leading investigative team working on the situation," she wrote. Kelly would not answer questions about who comprises that investigative team. 

"Should things change and/or concerns increase, the network will reach out to any and all relevant stakeholders at that time," she wrote.

Kelly added that Southern Chiefs' Organization "has full confidence in the board of directors of the Southern First Nations Network of Care. All SFNNC board appointments follow the appropriate process."

Last week, CBC News spoke to the head of Sandy Bay Child and Family Services, who said the care network was "dysfunctional" and had published information on its website that made it vulnerable to the cyberattack.

Police investigation could take months

It could be months until police have any updates on the investigation, according to Manitoba RCMP spokesperson Sgt. Paul Manaigre.

The ransomware attack was reported to RCMP's Headingley detachment on Nov. 24, three days after the breach occurred. Police believe the cyberattack happened in Headingley, which is also where the main offices of Southern First Nations Network of Care are located.

In an email to CBC News, Manaigre said the digital forensic investigation to figure out exactly what happened will take considerable time to complete.

The RCMP's major crimes unit has been assigned to the investigation, he said.

Mother of three children in foster care wasn't told their sensitive personal information could be at risk until more than a week after a cyber attack

5 years ago
Duration 2:20
The woman says the Southern First Nations Network of Care never let her know a ransomware attack may have compromised her children's sensitive, confidential information. Instead, she was told eight days after it happened, during a regular visit with one of her kids.

ABOUT THE AUTHOR

Marina von Stackelberg is a senior reporter at CBC's Parliamentary Bureau in Ottawa. She covers national politics and specializes in health policy. Marina previously worked as a reporter and host in Winnipeg, with earlier stints in Halifax and Sudbury. Connect with her by email at mvs@cbc.ca or on social media @CBCMarina.