Ottawa's French public school board paid hackers a ransom following cyberattack

Ottawa's French public school board says it was the victim of a network security breach in October and it paid the hackers a ransom to secure the stolen data.

In a statement on its website, the Conseil des écoles publiques de l'Est de l'Ontario (CEPEO) said it was notified of the cyberattack on Oct. 18. The network was secured later that day, but officials learned hackers had stolen approximately 75 gigabytes worth of data about employees and some students and parents dating back to 2000 that was stored on a server at the board's main office.

"If you were employed by CEPEO at any time after 2000, your personal information may have been stored on the server," the board said. "We will use the contact details available to write to you personally within a week if your social insurance number, bank account number, unexpired credit card number, or date of birth has been compromised. Where applicable, we will also provide you with a free credit monitoring service for a period of 24 months."

The board explained that fewer students and parents, both current and former, were affected, and those who have been impacted will be contacted as soon as possible. The reason it took so long to announce the breach was because the board spent a lot of time analyzing what data was taken in order to offer the best advice, it said.

Anyone with questions about the incident is asked to reach out to cyberincident@cepeo.on.ca.

The school board did not say how much money was requested or paid to the hackers. In a statement, a CEPEO spokesperson said the board believed the payment was the best way to quickly secure the data.

"Protecting our community members was and remains our first priority. Therefore, after careful consideration, we made the decision to make a payment to the actors as it was the best chance to secure the data. We have received statements indicating that the data has been deleted. We are nonetheless providing this notification," the statement said.

"Our efforts are focused on identifying individuals whose compromised information included data commonly used to commit identity theft in order to support their notification. We encourage people who would like to know if their information was part of the stolen data to write to us."

The board has also contacted police and the Ontario privacy commissioner. Ottawa police would not comment.

Officials apologized to the people affected and urged them to remain vigilant for possible attempts to target them personally.

"We ask all members of our community to be vigilant. As always, you should watch out for phishing emails and other suspicious communications and monitor your financial accounts for any signs of fraudulent use," the CEPEO said.

More information about scams and frauds can be found at the Canadian Anti-Fraud Centre's website.