Toronto District School Board Cyberattack: Recommendations for improved security
A social engineering attack at a TDSB high school led to the unauthorized access of personal information belonging to current and former students, parents and staff across several schools. The threat actor gained unauthorized access to the affected schools’ systems by obtaining the login credentials of a school’s Vice-Principal (VP) through a social engineering attack and obtaining the login credentials for their OneDrive account from a browser cache connected to the Vice-Principal. The breach resulted in several recommendations to the TDSB by the IPC that will assist in improving its security posture.
Toronto Public Library Cyberattack: Importance of reasonable security measures and notifying affected individuals under MFIPPA
A cyberattack on the Toronto Public Library exposed vulnerabilities in its systems that contained a significant number of individuals’ personal information. Read the closing letter to learn about how the case was settled at the Early Resolution Stage.
Cyberattack of a prescribed person: IPC report highlights breach response and details the indirect notice method used to reach affected individuals
A prescribed person under the Personal Health Information Protection Act reported a breach to the IPC regarding a cyberattack that involved the unauthorized copying of approximately 3.4 million individuals’ personal health information from the prescribed person’s secure file transfer server. The threat actors gained unauthorized access to the server by exploiting a zero-day vulnerability in the file transfer software, MOVEit, that was installed on this server.
Respondus exam proctoring software: Privacy concerns and recommendations
The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a complaint about McMaster University’s (McMaster or the university) use of Respondus exam proctoring software under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act).
Hospital cyberattack: IPC decision highlights breach response and security improvements
A public hospital notified the office of the Information and Privacy Commissioner of Ontario (the IPC) of a breach under the Personal Health Information Protection Act (the Act), as there had been a cyberattack against the hospital. After the hospital self-reported the breach, the IPC opened a file relating to this breach, and subsequently received four complaints from affected individuals.