The Maple Ridge – Pitt Meadows School District (SD42) is investigating and mitigating an incident involving the public release of the following information: first name, last name; school/department; district email address; student grade (K-12).
Because of the high number of records (19,126), the district assumes the incident affects both students and staff.
What is the severity of this incident?
The information that has been accessed, while concerning, was confined to easily attainable information with limited use. The sensitivity of this information is considered low. At this time, the school district has no evidence that critical information was disclosed.
What does this mean for students/families and staff?
While this data is internally available to students and staff in our active directory (email) phone book, in the wrong hands it can be used for targeted phishing attacks that attempt to trick the recipient into clicking on links or downloading attachments.
- Students/families: If your child uses their district email account, we recommend they be extra vigilant with any emails that request personal information, including passwords.
- Staff: While, in the case of staff, this information is in many cases already public facing, we anticipate that the incident will result in an increase in phishing attacks targeting staff accounts.
This is an important reminder for staff and students to never share their SD42 credentials (i.e. user ID and password) with anyone.
When did the school district learn about this incident?
The school district learned about the incident in the afternoon of January 17, 2023.
What has the school district done in response to this unauthorized disclosure?
When the school district learned about this unauthorized disclosure of personal data, it initiated an immediate review of its systems and logs for suspicious activity. No suspicious activity was found.
While it is possible this information was obtained because of a compromised student or staff email account, our investigation into how this data was accessed is ongoing.
How will I be notified of any updates on this incident?
Should additional information become available, any updates will be added to this notice. Any information we feel is critical we will also communicate to families directly through the Parent Portal.
Where can I read the notice to families about this unauthorized disclosure?
A copy of the notice to families about this unauthorized disclosure is available on the district website at https://www.sd42.ca/announcement/january-personal-information/
Whom can I contact if I have additional questions?
If you have any questions related to privacy concerns, you can contact us at privacy@sd42.ca. For technical assistance, please contact our IT HelpDesk at ithelpdesk@sd42.ca.
Letter for families
Dear families,
I am writing to let you know that the school district is investigating and mitigating unauthorized disclosure of personal information that may impact your child.
What happened?
Yesterday afternoon (January 17, 2023), we learned that a database containing 19,126 records related to our school district had been shared online. We have been advised the data consists of the following:
- First name, last name
- School / Department
- District email address
- Student’s grade level
Because of the high number of records, we are assuming this incident affects both students and staff.
What is the severity of this incident?
The information that has been publicly disclosed, while concerning, was confined to easily attainable information with limited use. The sensitivity of this information is considered low. At this time, we have no evidence that critical information was disclosed.
What does this mean for you?
While this data is internally available to students and staff in our active directory (email) phone book, in the wrong hands it can be used for targeted phishing attacks that attempt to trick the recipient into clicking on links or downloading attachments. If your child uses their district email account, we recommend they be extra vigilant with any emails that request personal information, including passwords.
What have we done in response to this unauthorized disclosure?
When we learned about this unauthorized disclosure, we initiated an immediate review of our systems and logs for suspicious activity. No suspicious activity was found.
While it is possible this information was obtained because of a compromised student or staff email account, our investigation into how this data was accessed is ongoing.
How will I be notified of any updates on this incident?
We have posted a notice about this incident to the school district website and will update this notice should additional information become available. Any information we feel is critical will be communicated to families directly through the Parent Portal.
I want to assure you we take our responsibility to safeguard the personal information of our students and staff extremely seriously. As per district protocol, we will be informing the Office of the Information and Privacy Commissioner for B.C. about this disclosure and will take all necessary steps to prevent to the best extent possible a similar incident from occurring in the future.
If you have any questions related to privacy concerns, you can contact us at privacy@sd42.ca. For technical assistance, please contact our IT HelpDesk at ithelpdesk@sd42.ca.
Sincerely,
Harry Dhillon
Superintendent of Schools