Skip to content

BREAKING: Employee info stolen from Catholic school board servers

SooToday has learned that Huron-Superior Catholic District School Board was targeted by notorious Royal ransomware group; unknown if board paid to retrieve stolen data
Ransomware
Stock image

The Huron-Superior Catholic District School Board has confirmed that last month’s ransomware attack has resulted in the theft of a “significant number of files from a board file server” — including social insurance numbers and banking information for staff members employed by the board between 2019 and 2022. 

The hackers have informed the board that they have since deleted the files, but in a statement released Tuesday, board officials say the board intends to "analyze the files that were stolen and determine who to notify." 

Board officials say the process take could take months. 

“Given the nature of the information exposed and in an attempt to give peace of mind, we will be providing these employees with an offer for a free, two-year credit monitoring service — a service that allows one to check for signs of identity fraud so protective action can be taken,” board officials said. 

SooToday has learned the English Catholic school board was the target of a new yet notorious form of ransomware that has recently been deemed a threat to the U.S. healthcare sector.

When the school board’s computer and phone systems were breached Dec. 15, the hackers sent a type-written note through printers and photocopiers at both the board office and numerous schools.

SooToday has obtained a copy of that note, which confirms that the board’s computer network was hit by Royal ransomware — encrypting its critical data and holding it hostage until a “modest royalty” is forked over.

The dollar amount of the ransom demand is not specified in the letter, but it does contain a link for the board to communicate with the attackers.

“If you are reading this, it means that your system were hit by Royal,” reads the note, which goes on to mock the school board for being vulnerable to such an attack. “[L]ikely what happened was that you decided to save money on your security.”

The note goes on to say that the board’s “critical data was not only encrypted but also copied,” which means it can be published online for “anyone on the internet to read.”

“Fortunately, we got you covered!” the note continues. For a “modest ransom,” the hackers promise to restore the system back to normal.

“To put it simply, your files will be decrypted, your data restored and kept confidential,” the note reads. “Try Royal today and enter the new world of data security! We are looking forward to hearing from you soon!”

Earlier this month, the cybersecurity arm of the U.S. Department of Health and Human Services issued a warning to the healthcare sector about similar ransomware attacks by Royal, stating that once infected, the demand for payment has ranged anywhere from US$250,000 to more than US$2 million.

“Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations,” said the report. “While most of the known ransomware operators have performed ransomware-as-a-service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal. 

“The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data.”

As SooToday first reported, students at the English Catholic school board were sent home early last month as a result of the cyberattack and schools remained closed the next day heading into the Christmas break.

SooToday has asked the board if it has paid a ransom to its attackers, and is still awaiting a response.  



Discussion

James Hopkin

About the Author: James Hopkin

James Hopkin is a reporter for SooToday in Sault Ste. Marie
Read more