Father says teen, other students had info hacked at GTA school
A woman types on a keyboard in Vancouver on Wednesday, December, 19, 2012. THE CANADIAN PRESS/Jonathan Hayward
When Kirk Tobias' daughter logged onto her school's student portal one morning last month, she was greeted by an ominous note.
Under the image of a leering face was a list containing her address, telephone numbers and school-related log-in details, accompanied by a threat of further contact from what appeared to be an anonymous hacker, the father of the 16-year-old said.
The frightened teen informed her parents, who said they promptly reported the matter to her high school in Markham, Ont. The institution called police -- who confirmed a database hack -- but Tobias said he believes the school's board only learned of the incident when he called its privacy officer.
"They're not doing what they need to do to protect the data of the students," Tobias said of the school and the board. "If they had a system in place from the beginning that had proper protocols to protect the data, none of this ever could have happened."
The episode illustrates an issue raised in this week's report from Ontario's auditor general, who flagged widespread concerns about student data security at the province's 72 public school boards.
Tobias said the drama with his daughter began unfolding unbeknownst to him and his wife when his teen received a phone call on Nov. 3 from a student with whom she shared a class at Markham District High School but had no prior social interaction.
The digital note on her computer appeared the next morning when she logged into the Google Applications account set up by the board to handle many school communications, Tobias said.
"To say that she was completely freaked out was a gross understatement," he said.
Tobias said he went directly to the school the following day and the institution notified police.
York regional police said they launched an investigation on Nov. 5 and found evidence of a database hack.
"It appears that the suspect had accessed a file that contained the login information and passwords for all of the students at the school that give them access to their student account file," said Const. Andy Pattenden.
He said police opted not to lay charges against a teen believed to responsible but instead issued a verbal caution under the Youth Criminal Justice Act.
Tobias said he remained in contact with the school throughout the week the hack was discovered in a bid to address both the data breach and what he felt was a threat to his daughter's safety. Dissatisfied with the response he was getting, he said he took matters to the privacy officer at the York Region District School Board.
Tobias said the officer told him the school had not informed her of the data breach.
The school contended otherwise in a note to parents on Nov. 13 that outlined the information that had been accessed. The principal stated in the letter that she had notified the board's privacy office. That was repeated in a followup notice Nov. 28, in which the principal said student passwords were changed in response to the breach.
Markham District High School's staff declined to comment on the situation, referring inquiries to the board.
Board Associate Director Karen Friedman issued a statement confirming that a breach of student information had taken place in early November, that student passwords had been changed in response, and that the board had co-operated with the police investigation.
She did not immediately respond to questions as to how the board learned of the breach in the first place, but said extra security measures were being put in place.
"York Region District School Board takes the security of student personal information very seriously," she said. "... We are very sorry for any issues this has caused."
On Wednesday, Ontario's auditor general warned of such situations in her annual report, saying public school boards were not taking "all reasonable steps" to secure student information.
Bonnie Lysyk said the use of outdated technology that's vulnerable to hacking or the failure to close security loopholes was concerning.
"Accounts of inactive users of the ministry's IT system are not always being cancelled after they leave their positions at the boards," the report reads. "These accounts are accessible on the internet, which means that there is a risk that confidential student information may be exposed to the public."
--With files from Liam Casey