Data Breaches in Canada’s Education Sector are Nothing New

Bad Privacy Blog by Claudiu Popa
6 min readApr 19, 2024

It’s Not a Matter of Cover-Ups. It’s a Matter of Disincentives.

We didn’t have to wait for the advent of the cloud to introduce society to the reality of data breaches in higher education. In the UK, where breach reporting occurs more diligently, more than half of all institutions reported a breach in the year 2020 alone. Not to be outdone, US higher learning institutions reported some 26 million student records breached in over 1300 attacks in the past two decades, since the trend started in earnest.

To wit, data breaches in colleges and universities started to become significant around the early 2000s. One of the earliest documented instances occurred in 2002 when Yale University experienced a breach initiated by intruders from Princeton, who accessed data regarding Yale’s admissions decisions. This event marked one of the first major breaches in the higher education sector and highlighted the vulnerabilities within these institutions.

Since then, breaches have become more frequent and sophisticated, involving large volumes of personal data including social security numbers, health information, and financial details of students, faculty, and staff. Notable subsequent breaches include a major incident at the University of California, Los Angeles in 2005, where a hacker accessed private data of nearly three-quarters of a million people. This breach underscored the scale at which these incidents could occur and the extensive personal and institutional harm they could cause​ (College Consensus)​.

The increasing occurrence of these breaches over the years highlights the critical need for robust cybersecurity measures within educational institutions to protect sensitive information from unauthorized access and ensure privacy and security for all members of the campus community.

Which brings us to Canada, where security incidents and data breaches are a matter of great embarrassment, to the point where public disclosure only happens as a last resort. In effect, a culture of secrecy is well entrenched despite the regulatory changes enacted back in November 2018 that require private sector organizations to disclose such incidents, particularly if they carry a “real risk of significant harm” (RRoSH). Clearly not a lot of risk is carried by data breaches this side of the border, as colleges and universities very rarely report any incidents. Or maybe it’s the fact that the famous RRoSH test is left at the discretion of the organization accountable for the breach in the first place.

Regardless, when, according to the CBC, “earlier this week, administration at the University of Winnipeg confirmed a ‘threat actor’ managed to gain entrance to its system, and that the university took its network down to protect its data”, the University also declined to provide any further details.

My reaction? You don’t say! The university “declined to provide any further details”? The culture in Canada — and in any other country where enforcement of privacy and security legislation is weak — basically indicates that unless an institution is legally forced to report anything, it will confess absolutely nothing.

We’ve known about undisclosed cyberattacks on higher education for decades but there’s been no shortage of disincentives to changing the status quo. For example, here are just five:

  1. Lack of legislation: for the first couple of decades of this millennium there was no law forcing breach disclosure.
  2. Lack of enforcement: now that we have a superficial degree of legislative support for breach disclosure; weak enforcement, investigative delays & lack of authoritative power on the part of various agencies perpetuate the situation.
  3. Lack of investment: in the absence of regulatory pressure and authoritative enforcement, why feed such an expensive cost centre, only to risk damaging public trust?
  4. Fear of reputational impact: as with the examples set by banks, telcos and other oligopolies, educational players don’t operate in a vacuum. They can’t just unilaterally report their biggest failures without all the others being impacted, so there’s a risk of repudiation by their would-be competitors that can leave those opting for transparency to experience reduced enrollment (read, profits).
  5. Finally, attribution is hard.

That last point is not an excuse for not sharing such critical information as the details and nature of a data breach, but it does add to the humiliation as it appears that not only did the organization get owned, it also does not know who did it.

Sadly, it appears that in the absence of breach notification, not only are individual victims left to fend for themselves, it also means that the institution hasn’t bothered to even notify their own insurance company, preferring instead to ‘contain’ the breach.

Interestingly, such practices are widespread in the higher and lower education space in Canada. I am reminded of one particular situation where the York Region District School Board tried to ‘contain’ a situation of their own creation, as they unilaterally decided to share some 113,000 student records with a local web start-up and didn’t bother to check the security or privacy of the platform, system or their own approach to ‘outsourcing’ their ill-fated learning management system.

‘Contain’ remained the mantra as I tried to explain to them just how catastrophic a mistake it was to risk all this private data for students (so me of which have visible medical conditions) and parents that scarcely had any idea it was happening. All of it was ‘just’ my opinion, so they found it easy to dismiss, calling my intervention ‘disingenuous’ for suggesting that they overhaul the entire platform rather than just patch it here and there to obfuscate their mistakes.

After more than two years of investigations were carried out by the Federal Privacy Commissioner (OPC) and Ontario’s Information Privacy Commissioner (IPC), a number of recommendations were made to the board and their vendor, Edsby, to button up their practices, adopt industry standards and generally ‘do better’. As I recall, one of the OPC’s comments was that while information might have been compromised, it occurred before November 2018 when the law changed, so the company was under no obligation to report it. Apparently that same lax approach to privacy and security led to the same company’s latest embarrassing blunder:

Compared to the enormous numbers of student records the company collects and shares with unnamed parties, this “data issue” is a drop in the bucket, but it will take some legal reform to give Privacy Commissioners enforcement powers. Until then, so-called edtech companies will continues to collect and compromise student personal data with impunity, particularly when public education bodies provide ample cover for them to do so.

Click here to view full article.

As for the CBC article referencing international threats and foreign “bad actors”, it remains an issue, but in my humble-but-informed opinion, we’ve got bigger issues here at home where educational institutions at any level have weak controls and safeguards when it comes to:

  1. Student data collection constraints
  2. Consent and permission processes
  3. Retention and destruction practices
  4. Confidentiality, encryption and access control weaknesses
  5. Training and incident management
  6. Cybersecurity budgets and privacy compliance investments

More than everything, I find that accountability tends to remain a key concern despite the general knowledge that student data, the raw material powering the Canadian education space has not only been monetized by organized crime groups but also technology vendors that encourage the overcollection and oversharing of vast amounts of sensitive information.

For a tip to determine whether your public board or higher learning institution of choice has adopted proper security and privacy practice, look no further than their data disposal practices. Any school board worth its salt will voluntarily and diligently insist on deleting all non-critical data from their own systems, and all information from their vendors’ platforms, putting the onus on these to ensure that their own supply chain also purges data.

In the absence of such practices — particularly with the frenetic race to adopt as many AI tools as budgets will allow — Canadian institutions will continue to remain an irresistible target for ‘entrepreneurial’ service providers and financially motivated cybercriminals.

--

--

Bad Privacy Blog by Claudiu Popa
Bad Privacy Blog by Claudiu Popa

Written by Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.