Hackers posted extensive data involving Pembina Trails students, staff on dark web: probe

Personal details of current and former students at 12 schools, employees’ bank account numbers and images of cheques were put on the dark web following the hack against a Winnipeg school division.

Pembina Trails School Division revealed additional findings Wednesday after cybersecurity experts did a deep dive of digital files and concluded their investigation of the December 2024 ransomware attack.

“While we know a group of cybercriminals is responsible for the incident, the investigation was unable to determine a specific cause of the incident,” superintendent and CEO Shelley Amos said in a statement. “We come out of this incident with heightened awareness regarding cyber threats and better equipped to face them in the future.”

She said Pembina Trails’ systems are secure. The division said it does not expect to provide further updates.

“Unfortunately, this does not bring closure to my members,” said Lise Legal, president of the Pembina Trails Teachers’ Association. “It does not satisfy lingering questions that members have about how the cyber incident affected them professionally and personally.”

A hacker group known as Rhysida tried to sell almost one million files, including personal details and photos of students and staff, for $1.6 million in January after the division refused to pay a ransom. The files were later dumped on the dark web.

“It does not satisfy lingering questions that members have about how the cyber incident affected them professionally and personally.”

Cybersecurity analyst Carmi Levy encouraged staff, students and parents to be vigilant because the information on the dark web puts them at greater risk of identity theft or financial fraud.

“The victims have to keep their eyes especially open in the months and years to come because this particular event amplifies the kind of risks they now face,” Levy said. “It’s a risk that never ends.”

He said affected students will be at risk of fraud or other threats well into their adult years, so parents should ensure they’re aware by the time they become of age.

He encouraged victims to monitor bank and credit card accounts, sign up for fraud alerts and use credit or identity-theft monitoring services.

There was enough information in the breach to allow a fraudster to try to sign up for a credit card, apply for a loan or impersonate victims in other ways for financial gain, Levy said.

Fraudsters use stolen data to craft personalized phishing emails or messages while posing as a bank, school division or other entities, so it’s important to verify emails are legitimate, he warned.

“A risk that never ends.”

The division in southwest Winnipeg has said the published files were in four categories, including backups of student databases from 2011 to 2024.

Student databases contain names, birthdates, addresses, contacts for parents or guardians, most recent school photos and health card numbers.

Pembina Trails has 36 schools, more than 17,600 students and almost 2,500 employees.

The three other categories were excerpts from a staff payroll database, information of some students at 12 schools from 1999 to 2024, and division administrative documents.

The 12 schools are: Acadia, Bairdmore, Crane, Fort Richmond, Oakenwald, Pembina Trails Collegiate, Ralph Maybank, St. Avila, Shaftesbury, South Pointe, Vincent Massey and Viscount.

Details include social insurance numbers, passport numbers and behavioural information, the division said Wednesday.

Names, birthdates, contact information and provincial health and bank account numbers of teachers and staff division-wide were exposed. Some files contained social insurance numbers and details of disciplinary action.

Hackers posted images of two teachers’ passport photo pages when they tried to sell the stolen data.

Pembina Trails said people who wrote cheques to the division between 2021 and 2024 were also likely affected. Images of cheques, including account numbers, were exposed. Some driver’s licence numbers were also at risk.

Pembina Trails published additional details on its website.

The division hired an outside cybersecurity firm to contain and investigate the breach, and review the files on the dark web.

Winnipeg police said an investigation continues. Pembina Trails also reported the breach to Manitoba’s ombudsman.

The division spent about $536,000 on credit monitoring for current and former staff (for three years), IT and legal services, and public relations by the end of January, per a breakdown obtained by the Free Press.

Winnipeg Free Press | Newsletter

Dan Lett | Not for Attribution

Tuesdays

A weekly look at politics close to home and around the world.

Sign up for Dan Lett | Not for Attribution

Sign Up

I agree to the Terms and Conditions, Cookie and Privacy Policies, and CASL agreement.

All but about $50,000 was being claimed for reimbursement under an insurance policy.

Free credit monitoring was extended to some students, including those who received an honoraria, scholarship or award and provided their social insurance number to the division between 2018 and 2024, Amos said.

Levy urged people to use strong and unique passwords for online accounts, and set up multi-factor authentication whenever possible.

People should contact Service Canada if their social insurance number was exposed, he said.

chris.kitching@freepress.mb.ca

Chris Kitching
Reporter

Chris Kitching is a general assignment reporter at the Free Press. He began his newspaper career in 2001, with stops in Winnipeg, Toronto and London, England, along the way. After returning to Winnipeg, he joined the Free Press in 2021, and now covers a little bit of everything for the newspaper. Read more about Chris.

Every piece of reporting Chris produces is reviewed by an editing team before it is posted online or published in print — part of the Free Press‘s tradition, since 1872, of producing reliable independent journalism. Read more about Free Press’s history and mandate, and learn how our newsroom operates.