Personal information of students and staff – including social insurance numbers and banking information – was compromised during a recent cyber attack, the Rainbow District School Board said Thursday.
While the board initially reported that it didn’t believe sensitive information was accessed, further investigation into the Feb. 7 attack revealed a wide spectrum of information was accessed.
“All staff members currently employed by Rainbow District School Board as well as individuals who worked for the Board between January 2010 and February 2025 are affected,” the board said in a news release.
“This includes full-time, part-time and occasional staff.”
For this group, compromised information includes address and primary phone number, social insurance numbers (for staff 2012 onward) and bank account numbers for staff hired since August 2017.
Medical information of those hired in 2022 and later was compromised, including doctor notes, physical abilities forms and leaves of absence forms.
Anyone in this group who is a victim of fraud as a result is asked to send an email to cyberincident@rainbowschools.ca.
Free credit monitoring
The board is also offering two years of credit monitoring free of charge for all staff affected by the breach.
In addition to staff, all students who attended from June 2012 to June 2024 had the following information compromised: date of birth, gender, home address, parent/guardian names and contact information, academic achievement data (grades and completion data), Ontario Education Number.
Also affected were the identity of medical providers, medical information and immigration information.
“Current and former students with an identified exceptionality who have been enrolled in an Intensive Support Program in Rainbow Schools since 2019,” the board said.
“Compromised data includes being identified with an exceptionality, assessment information, medical diagnosis, and information about related needs, including accommodation and student support information, behavioural information and health card number.”
Contact information of parents or guardians of affected students was also compromised, including phone numbers, home addresses, email addresses and place of employment.
Tax information, SIN
Any student who received a scholarship since 2011 had their T4A income tax and social insurance number compromised.
“Rainbow District School Board is providing affected scholarship recipients whose social insurance number has been compromised and who have reached the age of majority with a two-year TransUnion® credit monitoring service, on request, at no charge,” the release said.
“This service monitors for signs of identity theft so that individuals can react in the event of data use for fraudulent purposes.”
Email cyberincident@rainbowschools.ca to request the credit monitoring service. Affected scholarship recipients who are currently below 18 years of age are not eligible for credit monitoring.
The cyber attack took place Feb. 7, with systems being shut down at 10 a.m. and the cyber incident was confirmed by mid-afternoon.
‘Deeply sorry’
“Since then, we have been working diligently with cyber security experts to assess the impact, including whether any personal information was compromised,” the board said.
“We take this matter very seriously and apologize to all those who are affected. We understand this news will be as concerning to you as it is to us and we are deeply sorry.”
The attack has been reported to Greater Sudbury Police Service and the Ontario Provincial Police, as well as the Information and Privacy Commissioner of Ontario.
“Our investigation with third-party experts is ongoing and we will provide further notifications, as required,” the board said.
More information, including the full FAQ on the incident, can be found here.
