Vancouver School Board warns staff of potential privacy breach after 'fraudulent activity'
Staff have been urged to monitor their bank accounts and contact their financial institutions as a precaution
The Vancouver School Board (VSB) says it is investigating a cybersecurity incident involving its online banking systems that may have exposed some employee information.
In a statement to CBC News, the board said it learned about the incident on Wednesday and immediately secured its platform.
It says information belonging to employees, tuition fee-payers and vendors may have been placed at risk but that there is no current evidence that data was accessed.
"Out of an abundance of caution, we are advising all potentially impacted individuals and companies of this incident," VSB said. "It is important to note that this incident does not impact information of other students and their families."
The Vancouver Police Department has been notified and the VSB says it is following protocols set by the Office of the Information and Privacy Commissioner while the investigation continues.
"We are committed to maintaining the confidentiality of the impacted individuals and are taking protective measures to prevent further fraud attempts."
A letter obtained by CBC News and sent to all VSB employees offers additional details about the breach and advises staff to remain vigilant.
According to the letter, there is a potential risk that the attackers may have unlawfully obtained employee names, bank account details, pay amounts and VSB identification numbers. The notice specifies that affected bank account information is limited to accounts used for payroll within the last 180 days.
"We are advising all employees to monitor their bank accounts carefully and to contact their financial institution for advice on steps they should be taking given this potential unlawful access to information," the letter reads.
Cybersecurity expert suggests precautions
Chester Wisniewski, a digital security expert and director at Vancouver-based company Sophos, says while any data breach is concerning, it appears that the worst outcomes may have been avoided.
"The good news is it doesn't sound like the Vancouver School Board's computers were compromised," he said.
He added that it is also good that social insurance numbers do not appear to be involved.
Still, Wisniewski warned that the exposure of banking details is significant and employees should act cautiously. He advises those affected to consider changing their bank account numbers.
"That's really kind of a pain because you may have direct bill payments set up, have other direct deposits for your spouse going into the same account," he said. "But ... it would be prudent to make those changes."
The cybersecurity expert says stolen banking information could be used in phishing attacks where criminals could send targeted emails referencing specific account details to trick victims into believing they are communicating with legitimate bank representatives.
"Be careful what you share publicly that is used to confirm your identity," Wisniewski said. "The less of that information you publish publicly, the less likely it is that a criminal is going to be able to impersonate you and potentially try to compromise your own accounts."
Wisniewski says large organizations like school boards can be attractive targets because of the size of their payroll systems. He also stressed that institutions should move away from basic two-factor authentication methods, such as six-digit codes.
"The criminals have become really adept at intercepting that code," he said, adding that organizations should adopt stronger authentication measures like security tokens that physically connect to computers or mobile devices.
In the meantime, VSB is encouraging employees to review fraud and identity theft prevention resources and says support is available to staff who wish to change their payroll deposit information.
The VSB says there are no expected disruptions to regular payroll or other systems.
ABOUT THE AUTHOR
With files from Akshay Kulkarni