Cyber Incident Victim: Conseil scolaire acadien provincial
Date:
Jun 2023
Location:
Canada
Summary
A cyber incident impacted Conseil scolaire acadien provincial (CSAP) due to a vulnerability in the MOVEit file transfer service used by the government. Personal information of the organization's employees was stolen. This was part of a larger breach affecting multiple government departments and health agencies. Notification letters were subsequently sent to thousands of affected employees, including over 12,000 from regional education centers and CSAP.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 1, 2023, the Government of Nova Scotia identified a vulnerability associated with the MOVEit secure file transfer service, a vendor-provided system used globally by numerous organizations, including governments and private sector entities. In immediate response to discovering this vulnerability, the government took the MOVEit system offline and proceeded to install a security update as instructed by the vendor. Following the application of this patch, the service was subsequently brought back online. The following day, on June 2, the government became aware that further investigation was warranted. Consequently, the system was taken offline a second time, and an investigation was initiated. To assist with this investigation, the government engaged the services of IBM cybersecurity experts.
By June 3, the government confirmed that the personal information of some Nova Scotians had been stolen as a result of this incident. The investigation then focused on determining the precise nature of the stolen information and the total number of individuals impacted. The police, the Canadian Centre for Cyber Security, and the Office of the Information and Privacy Commissioner were formally notified of the breach on June 4. The Canadian Centre for Cyber Security also provided expert advice, guidance, and support to the provincial government throughout the process.
On June 6, the government announced it had determined that the personal information of many employees of Nova Scotia Health, the IWK Health Centre, and the public service had been stolen. The compromised information included highly sensitive data such as social insurance numbers, addresses, and banking information. The specific amount and type of information stolen varied depending on the individual's employer. While an exact number of affected individuals had not yet been finalized, initial government estimates suggested that as many as 100,000 present and past employees could be impacted. By June 9, the government confirmed the breach extended beyond employees to include some members of the public, in addition to more members of the public service, and that more records had been identified as stolen.
Significant progress in identifying affected groups and organizations was reported on June 14, though the investigation was still in its early stages of pinpointing specific individuals. The government announced that formal notification letters would begin to be sent out by the end of that week. The notification process officially commenced on June 16. The first batch of letters was sent to 52 clients of the Department of Community Services. On June 20, notification letters were sent to 5 students who were impacted through a Department of Labour, Skills and Immigration file. Also on June 20 and 21, letters were sent to 880 Nova Scotia pension plan recipients.
Notification efforts accelerated significantly on June 23, with letters sent to 13,385 public service employees and 153 employees of the IWK Health Centre. This was followed on June 26 by notifications sent to 10,000 employees of Nova Scotia Health. Between June 27 and 30, an additional 30,000 employees of Nova Scotia Health were notified that their information had been stolen.
The month of July began with a major wave of notifications between July 4 and 7. During this period, letters were sent to 9,483 employees of Nova Scotia Health, 12,300 employees of regional centres for education, 3,872 employees of the IWK Health Centre, and 730 employees of the Conseil scolaire acadien provincial (CSAP). On July 11, the government announced it was starting an additional notification phase for individuals whose less sensitive personal information had been stolen. This category of information was defined as posing a very low risk of identity theft or fraud and could include names, addresses, license plate numbers, and email addresses. Because of the assessed low risk, these individuals would not receive offers for credit monitoring and fraud protection services, unlike those whose social insurance numbers or banking information had been compromised.
Notifications continued throughout mid-July. On July 12, letters were sent to 12,320 employees of regional centres for education and the Conseil scolaire acadien provincial. The following day, July 13, notifications were sent to another 12,825 employees within the same education sectors. On July 14, letters were sent to 865 people who had been issued parking tickets by the Halifax Regional Municipality. July 18 saw notifications sent to 178 Nova Scotia pension plan recipients and 2 students impacted through a Department of Labour, Skills and Immigration file.
A large notification specifically for the education sector occurred on July 20, with letters sent to 15,393 employees of regional centres for education and the Conseil scolaire acadien provincial, followed by an additional 515 employees from the same groups. Also on July 20, notifications were sent to 383 people in provincial adult correctional facilities, with another 245 incarcerated individuals notified on July 26. That same day, July 26, letters were sent to 8,103 people with water and tax bill accounts in the Region of Queens Municipality. Further healthcare-related notifications were sent on July 28 to 99 people in the Department of Health and Wellness client registry due to a change of address file and to 371 people enrolled in the Prescription Monitoring Program.
The notification process extended into August. On August 2, letters were sent to 158 people in the Department of Health and Wellness client registry related to newborn registrations and to 795 people linked to data quality reports. The government acknowledged that moving forward, it would be challenging to estimate the exact number of individual Nova Scotians affected due to potential duplicate records across different government holdings. For example, the same individual could be a certified teacher, a public service employee, and have received a parking ticket, resulting in their information appearing in multiple stolen files. The government's stated priority was to assess the full extent of the breach and notify all those impacted. In its communications, the government warned individuals who received notification letters to be vigilant against phishing or scam attempts that might try to exploit the breach, emphasizing that official communications would not ask for health card numbers, social insurance numbers, banking information, or money.