Cybersecurity expert looks into data breach at Waterloo Public School Board
The Waterloo Region District Public School Board has provided few public details about what it calls “cyber incidents” that impacted its computer system, but a cybersecurity expert said the breach was concerning.
The public school board said it was targeted by a criminal group and confirmed data was stolen. The board has not yet specified what data was taken.
Ali Dehghantanha, professor of cybersecurity at the University of Guelph, said that since the school board collects a lot of personal information, his biggest concern about cyber breach is identity theft and that people’s private information could be used for social engineering attacks.
“If I know your child’s name, your child’s school, maybe even your children’s grades, I can probably set up some very interesting and sophisticated attacks and steal a lot of information from you,” a- he declared. “Having this private information could give attackers an advantage.”
Dehghantanha said the impact of identity theft can be long lasting.
“Imagine if I could steal information, like a social insurance number, from an underage child, keep it for a period of time until they reach a specific age, and then start misusing it. That would be a really, really difficult case to investigate.
However, he said anyone’s information might have been compromised might not have to worry at this time. He suggested monitoring financial transactions closely and being vigilant for receiving random calls.
“We don’t know the extent of the information that has been leaked or stolen by the attackers, so currently we are unable to give a good fair assessment of the impact of people.”
On Wednesday, the school board said it was working to protect people’s personal information, but added it could take weeks before the investigation into how it happened and what was stolen is over.
Dehghantanha said the investigation requires examining how the attackers got the information and what they stole.
“Most of these hacking groups are taking steps to remove their footprints,” he said. “That’s why the investigation would be very, very complicated.”
He recommends businesses and corporations take the necessary steps to protect themselves against hacking, including changing cybersecurity procedures and not storing unnecessary personal information.
“Make sure you have a proper data deletion and destruction procedure policy in place,” Dehghantanha said.
When it comes to users, Dehghantanha said it’s best to only use websites that have two-factor authorization.
“If you make this mandatory, it works 200 times better than making your password policy fancy.”
The school board said it plans to release more information about the cyber incidents early next week.