Last February, the South East Cornerstone Public School Division reported they had a data breach when an unauthorized third party accessed three of their systems. The data from these systems was then uploaded to a cloud storage service.  

When the school division noticed the issue, they deployed the necessary countermeasures to protect the network by isolating systems, and restriction access. They also engaged third-party cybersecurity experts, notified the RCMP National Cybercrime Coordination Centre, and reported the breach to the Ministry of Education, and to the Information and Privacy Commissioner.  

During the investigation into the breach, the division determined which files could have been taken from the network, and notified any potentially affected individuals.  

After receiving the report about the breach, the Information and Privacy Commissioner investigated the handling of the incident. The report into the handling was released on February 1st.  

In the report, Commissioner Ronald Kruzeniski said the division did take all of the appropriate steps to contain the breach, as well as notifying the affected parties, and thoroughly investigating the breach. He also noted the division has been proactive in monitoring the dark web for any information associated with the breach.  

There were also some recommendations made by the Commissioner in terms of preventing similar breaches in the future. These include continuing dark web monitoring for five years from the date of the breach, the completion of an investigation into acquiring a zero-trust network access solution, the development and implementation of a password policy, and ensuring that security training is provided, at a minimum, annually, and is mandatory for all staff.  

The report detailed the breach itself was possible through the use of the credentials of an employee who was on leave. How the credentials were compromised was not determined, despite forensic investigations. Experts stated in the report they believed the incident to be a precursor to a ransomware attack. The report also stated there was no evidence of phishing, or that the employee’s device was accessed.

Read the full report below:

https://oipc.sk.ca/assets/la-foip-investigation_200-2023.pdf