-
A digital attack on Pembina Trails School Division (located in Winnipeg, Manitoba, Canada) leaked almost 1 million files that contained sensitive credentials of staff and students.
-
Hackers attempted to put the stolen information on sale for more than $1 million in bitcoin before discarding it on the dark web.
-
The incident affected staff, students, as well as families associated with 12 schools spanning 25 years of records.
A school division in south Winnipeg just closed the book on a nightmare scenario. Nearly a million files stolen. Personal data from students, teachers, and families leaked to the dark web—a vivid example of a cybercrime wave that is hitting educational institutions on a global scale (as we saw in the recent African Ghana education data breach case). This time around, bad actors tried to monetize it all for more than a million dollars’ worth in bitcoin.
Superintendent Shelley Amos announced the conclusion of the year-long cyber attack investigation in Pembina Trails School District on November 26. Pembina Trails School District provided final notifications to all affected individuals on Wednesday.
Stolen Data on Sale for Over $1 Million Regardless of Its Content
The stolen data paints a complete picture of the division’s operations over decades. Hackers grabbed backups of the student information system database. They took excerpts from staff payroll records. Student and staff storage files from 12 of the division’s 36 schools were accessed. They even scooped up administrative documents from the division office.
After the attack last December, the hacker group tried to cash in. They listed the stolen data for sale at over $1 million in bitcoin. When no buyer materialized, they simply released everything on the dark web. That’s when the real damage began.
The division’s latest update breaks down exactly who got caught in this breach. Since 1999, thousands of students have had their private data (such as contact numbers, health information and sensitive documents, including passports, health cards, and social insurance numbers) exposed due to hacking incidents at the twelve Pembina Trails School Division schools.
Staff and teachers who worked at these twelve affected schools from 2001-2024 were also impacted by these disclosures. The hackers potentially obtained their social insurance numbers, bank account numbers, and even disciplinary information. That’s 23 years of employee records completely compromised.
The Ripple Effect Beyond Students and Staff
The breach didn’t stop at people directly employed by or enrolled in the division. Those who wrote cheques to Pembina Trails from 2021-2024 may be victims. Community members and parents who submitted scanned copies of their driver’s licences or passports to the division from 2005-2024 may also be victims.
This extended reach means the actual number of victims could be significantly higher than just current students and staff. Former students who graduated years ago. Retired teachers. Parents who volunteered or made payments. The circle keeps expanding.
Pembina Trails says it’s taking action, implementing additional layers of security through partnerships with third-party vendors, and has developed a round-the-clock, continuous security monitoring programme to prevent any future incidents from occurring. Everyone identified in the review of leaked files will receive an individual notification.
But there’s a finality to Wednesday’s announcement that might worry victims. The division stated it does not expect to provide more updates on this data breach. For the nearly million files worth of people affected, this is apparently where the story ends from the school’s perspective.
The reality is harsher. That stolen data isn’t going anywhere. It’s out there now. Social insurance numbers don’t expire. Bank account information remains valuable. Health records are forever. The hackers have likely wrapped up their attack on the Pembina Trails School Division, but the victims will continue to feel the effects of the breach for a long time. This incident is indicative of a major issue facing the education industry.
Schools maintain a plethora of personal data, often over the entire lifespan of the school (many decades). Families freely share sensitive information with these trusted institutions. But as Pembina Trails just learned the hard way, they’re also attractive targets for cybercriminals looking for quick paydays. The tools for such attacks, like compromised network access, are themselves commodities for sale on the dark web, as seen in other recent breaches targeting critical infrastructure.
