A significant cyber attack earlier this year has potentially exposed a wide range of sensitive personal information belonging to employees and students of the Rainbow District School Board in Northern Ontario, according to a new update from the board.
Scope of the Breach: What Information Was Exposed?
The board confirmed on Monday that a cyber incident on February 7, 2025, led to a data compromise. For nearly nine months, the organization has collaborated with external cybersecurity experts to determine the full extent of the exposure beyond an initial notice issued on February 20.
For employees, the breach is particularly severe for certain groups. Former staff whose employment ended between 2005 and 2009 likely had their Social Insurance Numbers accessed. Furthermore, current and former employees who worked for the board in 2002 are believed to have had their bank account numbers, employee ID, home address, and annual salary compromised.
Additional exposed data includes names of beneficiaries and phone numbers for employees enrolled in benefit programs in 2009 and 2016, as well as information from individuals who submitted criminal record checks between 2012 and 2019. The board stated that affected employees include full-time, part-time, and occasional staff.
Student Data Also at Risk
The breach also extended to student records across multiple schools and decades. Information such as date of birth, Ontario Education Number (OEN), and grades were likely breached for students who attended various schools from as far back as 1966 up to 2024.
Specific groups identified include alumni of several secondary schools—Lo-Ellen Park, Lockerby Composite, Confederation, Capreol High, and Northeastern—between 1989 and 2024. Student athletes from Lo-Ellen Park Secondary School from 1966 to 2012 also had data like gender and grades potentially exposed.
International students who registered in 2013, 2014, and 2020 may have had passport information compromised. The board also indicated that personal details of Greater Sudbury area residents eligible to vote in the 2022 school board trustee election were likely accessed.
Response and Ongoing Investigation
In its statement, the Rainbow District School Board, which serves the communities of Sudbury, Espanola, and Manitoulin Island, emphasized its commitment to transparency. "This extensive process, undertaken over the past nine months, was an important and necessary step in the board’s commitment to its staff, students, families and members of the public," the notice read.
Despite the scale of the potential exposure, the board noted it has not received any confirmed reports of fraud or attempted fraud linked to the incident, suggesting the immediate risk may be low. However, they have reported the breach to the Information and Privacy Commissioner of Ontario and have urged anyone who suspects fraud to contact them immediately at cyberincident@rainbowschools.ca.
"We take this matter very seriously and believe due diligence is essential for transparency, accountability and trust. We apologize to all those who have been impacted by this incident," the board concluded. The findings were released following investigations by privacy watchdogs in both Ontario and Alberta into the mass data breach.
