Cyber Incident Victim: Children's Aid Society of Oxford County
Date:
Jan 2018
Location:
Canada
Summary
A ransomware attack targeted two Ontario children's aid societies, encrypting local servers containing sensitive child and family data. One agency paid a $5,000 ransom to restore access, while the other utilized offline backups to recover operations within eight hours, incurring $100,000 in remediation costs covered by cyber insurance. The attacks occurred during data migration to a new provincial database, prompting security protocol enhancements for future transfers. Cybersecurity experts and a private firm neutralized the malware, with one agency temporarily quarantined from the central system during cleanup. No data was confirmed stolen or compromised in the provincial database, though the incidents underscored vulnerabilities during system transitions and spurred reinforced cybersecurity practices across the sector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 18, 2018, the Children’s Aid Society of Oxford County experienced a ransomware attack that encrypted data on its local servers, rendering sensitive information about children and families inaccessible. The agency paid a $5,000 ransom to regain access to its systems, confirming no data was stolen and restoring operations by the following day. This incident followed a separate November ransomware attack against Family and Children’s Services of Lanark, Leeds and Grenville, where attackers demanded $60,000 after encrypting most servers during the agency’s data migration to Ontario’s new provincial Child Protection Information Network (CPIN) database. The Lanark agency refused payment, instead restoring systems within eight hours using offline backups while incurring $100,000 in recovery costs covered by cyber insurance. Both attacks occurred while agencies were transitioning to CPIN, a $123-million centralized system designed to improve information sharing across Ontario’s 47 children’s aid societies.
The attacks prompted immediate containment measures, including cybersecurity experts from Ontario’s Ministry of Children and Youth Services and private firms neutralizing malware in affected servers—a process requiring three weeks for the Lanark incident. The Oxford agency was quarantined from CPIN access for several weeks as a precautionary measure to prevent potential spread to the provincial database. Neither attack compromised CPIN itself, but vulnerabilities exposed during data transfers to the new system led the ministry to implement enhanced security protocols for all societies. Financial impacts included direct ransom payments, recovery expenses, and operational disruptions during restoration periods. The ministry subsequently reinforced cybersecurity best practices province-wide through collaboration with the Ontario Association of Children’s Aid Societies, emphasizing protection for a system serving approximately 14,000 vulnerable children annually with a $1.5-billion budget. Both agencies maintained that no sensitive client data was exfiltrated, though the incidents highlighted ransomware’s growing threat to public service organizations during critical infrastructure transitions.