I agree to the Terms and Conditions, Cookie and Privacy Policies, and CASL agreement.
A shadowy hacker group has claimed responsibility for a ransomware attack that leaked sensitive personal information and photos of Pembina Trails School Division students and employees to the dark web.
The group, which calls itself Rhysida, sought 15 bitcoins ($1.6 million in current value) when it tried to sell stolen data in January.
The attempted sale followed a ransom demand, which the division confirmed was not paid.
A large volume of digital files, including school photos of children, was later published on the dark web, where it remained accessible to users Thursday, said Luciana Obregon, founder of Texas-based VenariX, which investigates cybersecurity incidents and helps clients avoid attacks.
“The severity kind of depends on what somebody can do with the information that was posted,” she said, citing identity theft and financial fraud as examples. “If you have a database with personal details about children, where they live and their pictures, that’s another cause for concern.”
Rhysida’s advertisement displayed passport photo pages belonging to two teachers — whose faces, names and other information were visible — and thumbnail images of documents, including one marked “confidential.”
Amid an ongoing review, Pembina Trails has said student databases dating back to 2011 were among the files made available. A database with staff payroll information could have been accessed in the Dec. 2 breach.
Student databases contain names, dates of birth, genders, addresses, contacts for parents or guardians, most recent school photos and personal health identification numbers.
As well, they contain health concerns, medical alerts or immigration details of some students.
The payroll database generally contains the names, dates of birth, genders, addresses, phone numbers, bank account details and social insurance numbers of staff since 2009, Pembina Trails has said.
The division in southwest Winnipeg has more than 17,000 students in 36 schools, and almost 2,500 employees. Some former students were also affected.
“We have no doubt the school division cares about this matter and is working diligently on it,” Manitoba Teachers’ Society president Nathan Martindale said in a statement. “But the impact of such a severe data breach on MTS members and their families cannot be overstated.
“Teacher and student data should never be compromised. There’s no doubt this will cause our members extreme psychological stress. We will do our best to help those who reach out to us.”
Obregon said Rhysida claimed to possess 5.4 terabytes of data, or about 969,000 files, belonging to Pembina Trails.
The group is thought to be in eastern Europe, she said. Some analysts believe the group is in Russia or a former Soviet state, based on its activities.
Obregon said her company has verified 42 of about 191 incidents linked to Rhysida since the group emerged in May 2023. The FBI and U.S. federal cybersecurity officials identified the group as an escalating threat that year.
Rhysida has claimed attacks against Kuwait’s finance ministry, Chile’s army, financial companies, hospitals, the British Library in London and video game maker Insomniac Games.
Some attacks came with great financial costs. The City of Columbus, Ohio approved US$7 million for recovery costs and future prevention after Rhysida leaked stolen data in 2024.
Pembina Trails spent about $536,000 on credit monitoring for staff (for three years), IT and legal services, and public relations up to Jan. 30, the division said in response to an earlier freedom of information request made by the Free Press.
All but about $50,000 was being claimed for reimbursement under a cyber insurance policy.
The attack disrupted computer, phone, PA and other systems for days or weeks, alongside concerns that student and employee information could fall into the wrong hands.
Pembina Trails brought in an outside security firm to investigate. The division later said its network was re-secured.
Supt. Shelley Amos has not done media interviews despite requests from the Free Press. Board chair Cindy Nachtigall did not respond to a request for comment Thursday.
The division has shared some information on its website and in emails, attributed to Amos, sent to the school community.
Pembina Trails has not explained how its network was infiltrated. The division does not believe it was specifically targeted.
The attack was reported to the Winnipeg Police Service and the Manitoba Ombudsman, which reviews privacy breaches involving public bodies.
Many ransomware attacks occur when an unsuspecting victim opens an attachment or clicks on a link (and then enters credentials) in a phishing email disguised as being from a trustworthy sender.
Malware infects the computer or device and spreads to other machines, if connected to a network, essentially locking out an entire organization or entity.
Cybercriminals demand a ransom, usually in cryptocurrency, in order for the victim to regain access.
“They just want to get a big payout,” Obregon said. “The motivation is purely financial.”
When a ransom isn’t paid and a third party doesn’t buy the data, the stolen files are usually published on the dark web “to get back at” the victim, she said.
That gives scammers or other users access to valuable information, Obregon said.
