Hackers tried to sell Pembina Trails School Division student, staff info on dark web

Photos of valid passports, staff payroll information and credit card statements were among the nearly 1 million files uploaded onto the dark web after a recent ransomware attack by a hacker group on a south Winnipeg school division.

The Pembina Trails School Division was hit in December by a data breach carried out by a hacker group known as Rhysida, which stole personal information of students, teachers and families.

The division confirmed Friday the hacker group demanded a ransom to get the data back, but said it wasn't paid. The group then advertised the sale of personal information and photos of students, teachers and staff going back to 2011 on the dark web — a part of the internet that can't be accessed with a traditional web browser.

When no one bought the data, the group uploaded it online.

The data that was possibly exposed includes names, dates of birth, confidential business data, personal health information and email addresses.

Colleen Peluso, who has three children in the Pembina Trails School Division, says some of their personal data was among the information stolen, alongside that of thousands of other students and staff. 

"Every year, the parent council at our school does cybersecurity and internet safety talks, which I go to. I've tried really hard to protect my family," Peluso said.

Company found data on dark web

VenariX, a Texas-based company that investigates and records cybersecurity incidents, said it decided to investigate the breach to learn more.

The company has no connection with the Pembina Trails School Division, but found the division's data on the dark web and put together a report on its website that included pixelated images of the stolen information to help people learn about the hack.

The hacker group listed the 5.4 terabytes of data stolen from Pembina Trails online and was selling it for 15 bitcoins — the equivalent of roughly $1.6 million.

WATCH | Hackers tried to sell data stolen from division:

Hackers tried to sell info after Pembina Trails School Division cyberattack

3 days ago

Duration 2:10

The Pembina Trails School Division was hit in December by a data breach carried out by a hacker group known as Rhysida, which stole personal information of students, teachers and families, and then tried to extort more than $1.5 million from the south Winnipeg school division.

"Some of them will try to sell that data to somebody else that is interested … just to make a profit. If they do sell it, some will just remove it off their website like it wasn't even there," said Luciana Obregon, founder of VenariX. 

"But if they weren't able to sell it, they basically make it available for anybody to go in and do whatever they want with it."

Screengrabs viewed by CBC show documents with names, birth dates, health information, email addresses and bank account numbers.

Initially, the division said the stolen information dated back to 2014, but it's since learned a backup database was also accessed, with information going back to 2011.

The Winnipeg Police Service's financial crimes unit is investigating.

Teacher and student data "should never be compromised," Manitoba Teachers' Society president Nathan Martindale said in an emailed statement. 

"There's no doubt this will cause our members extreme psychological stress."  

The division hired its own cybersecurity company to investigate. It's offering three years of a credit monitoring service at no cost to current and former staff and is encouraging families to be vigilant.

Divisions 'don't understand how valuable' data is

The group claiming responsibility for the Winnipeg ransomware attack is believed to be a criminal operation from Russia or eastern Europe. Rhysida has also claimed attacks against government institutions in Portugal, Chile and Kuwait, according to the Guardian.

Pembina Trails was one of many school divisions attacked across Canada. Obregon says she's found leaked data from 32 of them on the dark web.

Another victim of the same group that targeted the Winnipeg division is the Qualifications Evaluation Council of Ontario, a group that evaluates teachers' qualifications for salary categorization purposes. It was hit by an attack last July that may have exposed confidential business data and personal information, some of which has been posted to the dark web, said Obregon.

QECO executive director Liz Papadopoulos described the cyberattack as a "painful matter" and said no financial information was stolen. Everyone impacted was contacted and systems were secured, she said, but she declined to comment further.

Cybersecurity expert Hadis Karimipour said ransomware attacks on schools and school divisions have become more common, as many focus on quickly digitalizing things without keeping security in mind.

"They don't understand how valuable their data is and why cybercriminals would be interested. So they don't invest in it," said Karimipour, Canada Research Chair in Secure and Resilient Cyber-Physical Systems and an associate professor at the University of Calgary.

That data can be extremely valuable for things like identity theft, she said.

Karimipour said one of the easiest things organizations like school divisions can do to protect themselves is to invest in training for employees, helping them to recognize things like phishing emails and learn how work systems can be compromised if they're connected to personal devices that have been breached.

"Unfortunately, humans are always one of the, basically, source of the problem that gives the opportunity to cybercriminals to attack a large organization," she said. "And people usually [make] lots of mistakes."