It’s been over a week since the Durham District School Board was hit by a massive cyber attack and they still haven’t brought all of their systems back online and figured out what actually happened.

One expert in the field says it’s most likely a ransomware attack that serves as a reminder that too many public institutions remain highly vulnerable.

The attack on the GTA board happened Friday Nov. 25 and it initially took down all phone and email systems, as well as shutting down school for those enrolled in online classes.

It was only this past Friday – a week after the attack – that the board announced “phones, emails and internet access at schools are now working and various applications should start coming online.”

There was a caveat though: “Parents/guardians should be aware that we are still not able to send an automated message home if a student is not at school. Once this safe arrival system comes back online we will inform you.”

The board also admits they don’t have a handle on what occurred. “Work is underway to investigate what happened, the extent of the impact, and if there are privacy concerns,” Stephanie Aylesworth, a communications specialist with the board, told True North. “This work is complex and will take a significant amount of time to complete. We are committed to sharing more when we have confirmed information.”

How did this happen? How can it be prevented? And what does it say about the rest of the public system in terms of how at-risk other services are to such attacks?

Christian Leuprecht, a professor cross-appointed to the Royal Military College and Queen’s University, definitely sees it as a worrisome situation.

“In all likelihood, this is a ransomware attack: attackers hold data and networks hostage until a ransom is paid,” Leuprecht said in response to interview questions from True North. “Attackers search for any weak link they can find; so, it’s less likely that this school board was targeted deliberately and more likely that attackers found a way in.”

Durham District School Board did not directly answer when True North asked if the attack involved a ransom request.

“School boards don’t usually buy cyber insurance; so, they have a choice of either trying to rescue or rebuild their network (which will take quite some time); or to pay up,” Leuprecht, who is also a fellow at the NATO Defence College in Rome, explained.

Companies and institutions are reluctant to discuss ransomware attacks and loathe to admit if they’ve been paid out, largely to discourage future attacks. But if the public doesn’t realize the extent of the problem – both how at-risk our systems are and how they’re regularly being held hostage – how can they demand greater accountability and resiliency?

The Newfoundland & Labrador government hinted that they may have paid out a ransom last year when an attack shut down many hospital services across the province.

Leuprecht says it’s likely that the federal Communications Security Establishment is involved in assisting the board. Ontario’s Ministry of Education also confirmed to True North that they’re offering support.

But, according to Leuprecht, the time may have come for smaller organizations like school boards to be brought under the cybersecurity umbrella of larger operations.

“While federal and provincial departments and agencies are now reasonably well protected, local governments and entities, such as school boards, public transit, or health, remain vulnerable because, like small and medium-sized companies, they look at cybersecurity as a net cost; so, it’s not a priority,” he says.  

“While they must do better at protecting their networks, the day has come when the province probably needs to pick up the cost of running all networks that fall under provincial jurisdiction in the cloud to ensure it meets the latest standards.”

Clearly something needs to change, because our public services are increasingly at the mercy of bad actors.