The largest district school board in Canada was targeted by the LockBit ransomware gang, and the board acknowledged that an unknown number of students from the 2023–2024 school year had their personal information compromised in June, 2024. Affected student data include names, birthdates, email addresses, grades, school names, and student numbers. LockBit sets a September 12th deadline for ransom payments.
Who are the LockBit:
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). The group developed ransomware that allows hostile actors who are prepared to pay to use it to launch attacks using two different strategies: first, they encrypt the victim’s data and demand payment of a ransom; second, they threaten to make the data publicly available if their demands are not fulfilled. In this case, they have chosen the second one. Roughly 1,700 ransomware attacks in the US between January 2020 and May 2023 used LockBit, and hackers were paid US$91 million in ransom.
Toronto District School Board (TDSB) is the largest school board in Canada and the fourth largest in North America, initially claimed that a testing environment which was different from live system was impacted by the ransomware attack. A later update, however, showed that student information was also impacted, including names, dates of birth, grades, email addresses, student numbers, and school names. The school board took heed of the advice given by the Ontario Information and Privacy Commissioner (IPC) after notifying them of the incident. Parents have the right to complain to the IPC as well. The TDSB took the following actions:
• Disconnected the test environment right away;
• Further strengthened their systems to deter future incidents;
• Engaged law enforcement, who looked into the matter; and
• Immediately engaged their cyber security experts to isolate and secure the affected systems and determine the scope of the breach.
A similar hack affected Mobile Guardian, a globally used digital classroom management platform, wiping data from at least 13,000 iPads and Chromebooks remotely. Mobile Guardian revealed that during the first week of August 2024, there was a security breach that affected its instances in North America, Europe, and Singapore. The hacker gained unauthorized access to the platform. The threat actor utilized the platform to erase the iPads and Chromebooks of 13,000 students nationwide, according to Singapore’s Ministry of Education, though Mobile Guardian claimed that the incident only affected a “small percentage of devices.” Following a cyberattack this week that compromised IT systems of Highline Public Schools, a K–12 district in Washington state of US, has closed all of its locations and canceled all of its scheduled events.
There are still techniques to prevent cyberattacks, though there are lack of budget for security measures in many schools. Patching any networks that are exposed to the internet is the first step and ensuring that vulnerabilities are routinely fixed. Second, in order to make it more difficult for malicious actors to get through, schools must implement a multi-factor authentication layer. Ultimately, personnel and employees must receive regular, appropriate education and training in order to defend themselves against phishing attacks. Schools and other educational institutions will be less vulnerable to attacks and have better overall cyber health if these three strategies are put into practice.
Let’s keep an eye on the situation and wait for the results in the next few days.
References:
https://www.scmagazine.com/brief/toronto-district-school-board-admits-breach-amid-lockbit-claim
https://en.wikipedia.org/wiki/LockBit
https://www.tdsb.on.ca/home/ctl/Details/mid/43823/itemid/340
https://thecyberexpress.com/lockbit-largest-district-school-board-canada
https://www.infosecurity-magazine.com/news/second-school-cyberattack-before
Excellent Nazim! These kind of cyberattacks on schools that expose personal data and potential for misuse creates lasting concerns for students and their families. And the rise in personal laptops and devices brought to school by students post-COVID, adds a layer of complexity to managing and securing school networks, even more. I think it’s crucial for policymakers to prioritize cybersecurity and allocate resources accordingly to protect our educational environments and students.
Thanks. Yes, you pointed out another risk of BYOD. Advanced measures are very important in every sector.
Excellent post, Nazim! This is particularly concerning for parents of school-going children in Canada. Many parents use their primary email address for both school communications and sensitive financial transactions, increasing the risk of compromise. Is there a viable alternative to using multiple email addresses? While passwords are typically stored encrypted, public schools may have limited resources for top-notch security measures.
Thank you.
There are options for an e-mail address that is required only once (for OTP usually). You can check this out https://temp-mail.org/
Thoughts! Nazim, the lock-bit ransomware attack on the Toronto District School Board finalizes that schools are susceptible to cyberattacks with compromised student’s sensitive information. The board responded immediately, supporting improving measures such as patching, MFA, staff education, and other steps to prevent the threats that troubled the community. Cybersecurity should be of the utmost concern in schools, even when limited funding is available.
This incident serves as a clear reminder of how powerful tools like cryptography can be weaponized for malicious purposes. Schools and other public institutions need to prioritize stronger security measures to protect sensitive data and address the growing risks of cyberattacks.
Having continous engagement on how to react to cyber incident, doesnt only prepare the organization, but also helps to developed how this institutions react and handle such event, every organization should have an incident response playbook.
I just learned that Lockbit is a notorious ransomware group. Same group who attacked the London Drugs. I read in an article that two of their members already pleaded guilty but has not been sentenced yet. But the scary part is, although the authorities have identified some of the affiliates and at the same time had several operations done to bring them down, the group have remained active and still launching attacks! Will it really be possible to bring such groups down? Authorities may have the means and technology to track them, but at the same time, these groups also use advance technologies to make these attacks. In addition, there is a website called StopRansomware.gov where one can find details about protecting networks against ransomware.
Great post, Nazim! For the Toronto District School Board I find it somewhat concerning that they first learned of the breach through a testing environment. That makes me wonder if LockBit used this testing environment to make initial headway into the District’s IT infrastructure, and through negligent security malpractices like reusing credentials or sharing sensitive information in an exposed testing environment, were able to get deeper into the network. It would be interesting to know what exactly LockBit used to infiltrate the network, and what they did specifically to “further strengthen their systems” and prevent such an disaster from happening again.
A real scenario! Our educational institutes are also not safe from those kinds of groups and phishing attacks. It is high time to take necessary actions in each institution no matter which sector. I think in today’s world each sector dealt with people’s personal information. For that reason, the mentioned steps must be followed but I think ransomware attacks phishing attacks mainly occur because of unconsciousness of the end user. No matter how high the security layer is, if the end user has no idea about phishing attack, they will always click into an unauthorized link or put pen drive in system PC. So cyber threats classes should be arranged for every new member of a company as well as the old members.
Excellent write up Nazim!! The increasing number of cyber attacks on schools and other institutions as a whole goes to show that there is a clear and obvious need for robust cyber security training for employees in the aforementioned institutions in order to at least have a chance of combating this critical issue
Great Post! This article highlights the urgent issue of cyber threats in schools, particularly the Toronto District School Board ransomware attack. While the TDSB’s response is positive, schools must prioritize proactive cybersecurity measures, such as regular training and multi-factor authentication, to better protect student data.
Excellent post Nazim. According to the National Cyber Threat Assessment 2023-2024 by the Canadian Centre for Cyber Security (Cyber Centre), ransomware is a persistent threat to Canadian organizations. Due to its impact on business operations, ransomware is considered one of the most disruptive forms of cybercrime facing Canadians.
Cybercriminals deploying ransomware are constantly adapting their techniques to maximize profits. They are quick to exploit and manipulate emerging technologies for malicious purposes. The lucrative nature of ransomware will likely continue to attract new criminal groups despite increasing law enforcement efforts to counter these threats. Therefore as you mentioned, awareness and education are crucial to preventing ransomware.
It’s essential to provide students and employees with continuous training to defend against phishing and other cyber threats. Regularly updating these training programs with the latest cyber threat intelligence ensures that individuals are prepared to counter evolving tactics used by attackers. This would significantly reduce the likelihood of schools and organizations falling victim to ransomware.
Reference
• Government of Canada, Canadian Centre for Cyber Security. (2024). National cyber threat assessment 2023–2024. https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2023-2024#fn10
Educational institutions should learn from these recent cyberattacks and proceed with the urgent strengthening of the cybersecurity posture of their institutions. This LockBit ransomware incident compromised a lot of students’ sensitive information, followed by a data wipe that possibly affected thousands of devices. Schools’ exposed networks must be patched as a priority, and the implementation of multi-factor authentication can quickly help tackle unauthorized access.
Great post, Nazim! It’s interesting that they were able to gain access through the test site. I know at places I have worked, the passwords to access the admin accounts are generally very simple and easy to remember, like “password123” easy, but they are setup so that they are not accessible outside the company’s VPN. If that test site was able to be accessed by the public, and they had simple passwords for the admin accounts, it would be easy to gain access. It’s also concerning that they were able to get students’ information, potentially from the test site itself. Often, for test sites, real data will be masked so that there is no resemblance to the actual data and there is no way for someone to reverse engineer that information to get the original data. So, even if a malicious party gained access to those test sites, they wouldn’t have access to real PII, such as people’s names and addresses. Hopefully, once a new test site is created by the Toronto school board, they will take care to keep that data as secure as possible.
More info on data masking: https://www.techtarget.com/searchsecurity/definition/data-masking#:~:text=Data%20masking%20is%20a%20method,real%20data%20is%20not%20required.