Cyber Incident Victim: Ottawa's French Public School Board

On October 18, 2021, the Conseil des écoles publiques de l’Est de l’Ontario (CEPEO), Ottawa’s French public school board, detected a network security breach and immediately secured its systems later that same day. The breach involved unauthorized access to a server located at the board’s main office, which contained approximately 75 gigabytes of sensitive data dating back to 2000. This compromised information included records pertaining to employees, students, and parents associated with the school board. Officials confirmed the attackers exfiltrated this data before the network was fully contained. In response to the theft, CEPEO opted to pay an undisclosed ransom to the hackers in an effort to prevent further dissemination or misuse of the stolen records. The decision to pay was driven by the board’s assessment of the sensitivity and volume of the compromised data, though no specific details about the ransom amount or negotiation process were disclosed publicly.

The incident disrupted CEPEO’s operations, though the exact nature and duration of these disruptions were not elaborated in available reports. Following containment, the board initiated an investigation to determine the full scope of the breach and identify affected individuals. CEPEO publicly acknowledged the attack via a statement on its website, notifying stakeholders of the data theft and emphasizing its commitment to addressing the situation. The board collaborated with cybersecurity experts and law enforcement agencies to analyze the attack and bolster its network defenses. No additional technical specifics regarding the attack vector, such as malware type or initial access method, were confirmed in the source material. The breach highlighted risks associated with long-term data retention practices, given the inclusion of records spanning over two decades. CEPEO’s response focused on mitigating harm to affected individuals while reinforcing system security to prevent future incidents.