Manitoba

Database with Pembina Trails students' personal information accessed in cyberattack, division says

A database with personal information of former and current Pembina Trails School Division students — including health identification numbers, parents' contact information and most recent photos — were accessed during a cyberattack earlier this month.

Staff's bank information, SINs may have been accessed as well, division says in update

A sign reads "Pembina Trails School Division."
Pembina Trails School Division says a breached student database contained information like names, dates of birth, gender, personal health identification numbers and addresses of current and former students, as well as the contact information of parents or guardians and photos of the students. (Karen Pauls/CBC)

A Winnipeg school division says a database with personal information of former and current students — including health identification numbers, parents or guardians' contact information and most recent photos — was accessed during a cyberattack earlier this month, and the division is warning another database with staff payroll information was "either accessed or could have been accessed." 

Pembina Trails School Division previously said its information technology team identified "unusual activity" in its network system, resulting in phone and computer outages, on Dec. 2 and it began an investigation.

In an update posted on its website Thursday night, the division said it learned a database that "generally contains" personal information of students who attended Pembina Trails schools since 2014 was accessed by an unauthorized third party in the days leading up to Dec. 2, and a separate database containing payroll information of staff could also have been accessed.

The student database contained information like names, dates of birth, gender, personal health identification numbers and addresses of current and former students, as well as the contact information of parents or guardians and photos of the students.

For some students, it also contains health concerns or medical alerts, immigration information and the name of the student's previous educational institution, the division said.

It doesn't include student financial information, it said. For international students, financial data is stored on another system that was not compromised in the cyberattack.

Staff information may have been accessed

The staff database, which generally has information about Pembina Trails staff since 2009, may have been accessed, the division said in its Thursday update.

The payroll database contains the name, social insurance number, birthday, gender, address and phone number of the staff member, as well as information about their compensation and bank account, the division said.

Not all former staff from the 2009 and on period had information stored on that database, and any staff whose information was included will be contacted by email or mail, the division said.

"We have no evidence that the contents of the database were actually accessed," the update said, but the school division is offering a 36-month credit monitoring service to staff whose information was in the database out of an abundance of caution.

It is recommending its employees enrol in the credit monitoring service.

Pembina Trails School Division said it is working with third-party cybersecurity professionals and gradually restoring school functions, and has notified law enforcement and the Manitoba Ombudsman.

The division said it deeply regrets the incident and finds it "appalling that an organization dedicated to the education and safety of children should be the focus of this kind of criminal activity."

CBC News reached out to the school division's board, which declined to comment beyond its statement.

Pembina Trails has 36 schools, with more than 17,000 students and almost 2,500 full- and part-time staff, the division says.