The nature of the cyber incident and subsequent data breach that affected the Rainbow District School Board in February was ransomware, and a ransom demand was made.
This information has come to light following a formal freedom of information request made to the board by Sudbury.com March 18.
We also sought to find out through our filing how much was demanded through the ransom, if a ransom was paid, and if so, how much.
However, the board said these details were exempt under sections 11 and 12 of the Municipal Freedom of Information and Protection of Privacy Act.
The relevant sections say an organization may refuse to disclose a record that contains information that could prejudice the economic or competitive position or be injurious to the financial interests of an institution, or are subject to solicitor-client privilege.
Sudbury.com had previously made an informal request asking about the nature of the cyber incident, but the board said it couldn’t comment for security reasons, hence the freedom of information request.
Interview requests to the board on the matter this winter were declined.
Also part of our Freedom of Information filing was a request for any reports on the matter issued by consultants and the estimated number of people affected by the data breach.
In terms of reports, “there are no records that are responsive to this portion of your request,” said the April 16 letter from Rainbow board director of education Bruce Bourget responding to our request.
Similarly, the letter said “no estimate has been compiled at this time” in terms of the numbers of people affected by the data breach.
According to a Government of Canada website, ransomware is a type of malware that denies a user’s access to files or systems until a sum of money is paid.
The cyber incident now revealed to have been ransomware came to the board’s attention on Feb. 7, when technical difficulties emerged, and internet access was turned off to all schools and the board office.
Students and teachers were in for several rough days as they were forced to learn without the usual technology. Internet was fully restored a week later.
The board confirmed Feb. 20 that a variety of sensitive data had been stolen, and those affected by the massive data breach included current and former employees, students, parents and guardians going back as far as 2010.
But a little over a week later, on Feb. 28, the Rainbow board put out another statement, which said data acquired by unauthorized individuals during the cyber incident “was deleted and has not been shared.”
The board said at that time all of its critical systems had been restored, and that it continued to work with experts to monitor and maintain the network’s security.
“Rainbow District School Board would also like to thank staff, students, parents/guardians, the media and the community for their patience and understanding as we responded to this cyber incident,” the statement said.
Cyber incidents have become increasingly common in recent years, with Sudbury’s Laurentian University also experiencing a major cyber incident in 2024. The university also received a ransom demand in that incident, but it did not pay the ransom.
Heidi Ulrichsen is Sudbury.com’s assistant editor. She also covers education and the arts scene.