Saskatoon

Sask. school division asked to monitor 'dark web' for student, staff information after security breach

Saskatchewan's privacy commissioner is recommending a school division in the province's southeast monitor the dark web for vital personal information of as many as 20,000 people who could have been affected by a security breach.

Security expert says recommendation to monitor dark web for 5 years not long enough

A blue plastic cup, filled with coloured pencils, sits on a desk in a classroom. In the background, there are empty chairs at a desk, and books in cubby holes.
The South East Cornerstone Public School Division in southeast Saskatchewan said as many as 20,000 people could have had their information stolen during a security breach in February 2023. (David Donnelly/CBC)

A Saskatchewan school division is being asked to monitor the dark web for current and former staff and students' personal information after a security breach.

The South East Cornerstone Public School Division No. 209 estimated that as many as 20,000 people were affected by a breach to three of its IT systems on Feb. 8, 2023, according to an investigation report from the office of the Saskatchewan information and privacy commissioner. The breach was reported to the office last August, the report says.

It says an unauthorized user was found to have moved data from eight "archive files" to a third-party cloud storage provider, later noting that "unless a separate copy was taken, it is possible that the third party behind this incident lost access to the data as soon as the accounts were suspended."

In an email Tuesday, the school division said third-party cyber experts were unable to confirm which information was taken, if any.

It said the social insurance numbers and banking information of some of its employees could have been stolen, along with the names and contact details of former and current employees, students and parents. The records in question dated back to February 2010 for staff and September 1997 for students.

The privacy commission report also said the health card numbers, ages, gender and student numbers of parents and students could have been stolen.

Read the privacy commission report here: 


Natalia Stakhanova, a University of Saskatchewan computer science associate professor and Canada Research Chair in security and privacy, called the amount of information potentially leaked "astonishing."

"The impact of this lost or stolen information could be lifelong for a person," she said.

"It's sort of in the hands of these individuals that might or might not use this data, and you don't even know when they might decide to use this data, and how."

In an email, the school division said a third-party vendor that specializes in cyber security has been monitoring the so-called "dark web" on behalf of the school division and has not found any stolen information so far.

Stakhanova described the dark web as an unregulated space with a combination of forums where criminals can buy and sell things like goods, information or services.

She said monitoring the dark web means going to specific forums where that type of information is typically sold, and scanning the conversations and posts.

A social insurance number could be used to open a bank account, apply for credit cards or a mortgage, among other actions, she said. It's stressful for those people at risk, she added.

Canada's policy is not to issue someone a new social insurance number without proof the existing one was used fraudulently.

"The person who receives a new [SIN] is still responsible for everything that happens with the old SIN," Stakhanova said.

In a post to the school division page in August, director of education Keith Keating wrote that South East Cornerstone had been unable to figure out what data had been copied. He outlined information that could have been stolen:

  • People enrolled in Assiniboia Park Elementary School, Souris Elementary School, Haig Elementary School and Weyburn Junior High School from 1997 to 2008:
    • Name, address, student ID number, date of birth, grade and treaty number may have been impacted.
  • People enrolled in all South East Cornerstone Public School Division schools from 2004 to 2022:
    • Name, marks and classes enrolled in may have been impacted.
  • People enrolled in the division's schools in 2011 born outside of Canada:
    • Country of birth and first language.
  • People enrolled in the division's schools from 2012 to 2022:
    • Name, address, phone number, learning ID or student ID, date of birth, gender, grade, name and email address of parent or guardian and aboriginal status may have been impacted.
  • Parents or guardians of students enrolled in the division's schools from 2013 to 2022:
    • Name, phone number and email address may have been impacted.
  • People enrolled in the division's schools from 2018 to 2021:
    • Health card number may have been impacted.

Keating also wrote that the school division had been scanning the dark web and had not found evidence that the data had been published.

He also said the school had implemented enhanced security measures to prevent a similar incident from happening again.

The school division is based in Weyburn, but includes 35 schools as far north as Rocanville, west to Ogema, south to Bienfait and east to Maryfield.

Commissioner recommends division scan dark web for 5 years

Saskatchewan's privacy commissioner, Ronald Kruzeniski, wrote in his report that the school division said credentials for an employee on a leave of absence for nearly a year were compromised, though it does not know how. The school told Kruzeniski the credentials remained active because the employee needed access to the system to coach basketball.

Kruzeniski told CBC the school division did well containing the breach, investigating it and notifying those it affected — but laid out some recommendations, including developing a policy about staff access to systems while on leave.

Recommendations included policy changes to network access, information retention and password policies, but also a long-term recommendation to monitor the dark web for five years after the breach.

Kruzeniski said the information could be "sat on for six months or a year or possibly longer."

"You just never know when the information might get released."

a man stands at a podium at the end of a table with a Saskatchewan flag behind him
Ronald Kruzeniski, Saskatchewan's information and privacy commissioner. (Kendall Latimer/CBC)

There's no magic formula to the five-year recommendation, he said, but it has become a standard and seems more reasonable than 10 years.

Stakhanova said five years isn't enough time.

"There have been numerous cases where the information from the data breaches was not used immediately but was actually leveraged by attackers later on," she said, referencing the 2012 LinkedIn cyberattack.

ABOUT THE AUTHOR

Dayne Patterson is a reporter for CBC News. He has a master's degree in journalism with an interest in data reporting and Indigenous affairs. Reach him at dayne.patterson@cbc.ca.