'Appalling' Pembina Trails hack could cause a lot of damage, privacy expert says

A privacy expert says she's not seen a breach elsewhere in Canada that matches the scale of the Pembina Trails School Division hack.

Almost a million files amounting to about 4.5 terabytes of data have been released on the dark web after the group behind a December attack targeting the Winnipeg school division couldn't find a buyer for the information.

Ann Cavoukian, executive director of Global Privacy and Security by Design and a former Ontario privacy commissioner, said she's aware of attacks of a similar magnitude elsewhere in the world, including Europe and Japan, but not in Canada.

"It's appalling and can cause so much damage," she said in an interview with the CBC's Up to Speed Monday. 

"Unauthorized third parties can use your personal information to present you in a different light … and also to give unauthorized third parties access to your personal information. They can go do whatever the heck they want with it."

The security breach from December was carried out by ransomware hacking group Rhysida. It shut down the division's networks for weeks, with everything from computers to printers to clocks impacted by the attack.

The school said the information stolen by the hackers goes back to 2011.

Data should've been better protected: Student

The data that was possibly exposed includes names, dates of birth, confidential business data, personal health information and email addresses, as well as payroll information, credit card statements and even photos of valid passports.

Sabastian Kelly, who's in Grade 10, said that while students had personal data leaked, he's mostly worried about teachers and other school staff who've had more sensitive information like social insurance numbers exposed in the attack.

"We can't do too much to not have it out there because it's already been released," Kelly said. 

"Obviously I'm not an IT professional," he said. "But what I can say is that this information … should have been protected a little bit better."

LISTEN | Privacy expert weighs in on Pembina Trails cyberattack:

Up To Speed7:54Pembina Trails Data breach prompts conversation on cybersecurity

Winnipeg South school division was the target of a cyberattack that lead to one million files being uploaded to the dark web. Host Faith Fundal speaks to Ann Cavoukian, the Executive Director of the Global Privacy and Security by Design Centre, about this breach and why cyberattacks are so concerning.

VenariX, an American firm that investigates cybersecurity incidents, said it found the leaked data from 31 other school divisions on the dark web.

Cavoukian said the Pembina Trails attack, while appalling, is not surprising. 

"When governments, schools, school boards have personally identifiable information … this should be very strongly protected," she said.

"It should be encrypted. There should be walls put around it so that unauthorized third parties can't gain access to it."