Despite the natural impulse to treat them as a lost cause, there's still a lot we can do to limit, reduce, or even prevent the damage.

When a university gets breached in Canada, I (and just about any other Canadian who has been paying attention) can usually predict what comes next: a short confirmation, vague language about a “threat actor,” and assurance that they simply haven't seen any misuse of the stolen data so far, so we can sleep easy. Oh, and they have also gone through the extra trouble of notifying the Privacy Commissioner, so we parents don't have to. So kind.

Just The Bare Facts Required By Law And Nothing More

Last year's announcement from the University of Winnipeg fit the pattern. The school confirmed an intruder got in, took systems offline to protect data, and declined to share details.

That response is not a one off. It reflects a culture that has learned, over time, that saying less is safer than saying more, especially when enforcement is weak and consequences are optional.

Other countries have their own issues, but disclosure norms matter. In the UK, breach reporting has historically been more routine, and the result is a clearer public picture of how often higher education gets hit. In the US, higher education has absorbed decades of breaches, many involving sensitive identity and financial data. The lesson is not that one country is virtuous and another is not. It’s that incentives shape honesty.

Which brings me to the real problem: in Canada, the incentives still point toward minimization, containment, and delay. Delay until life catches up and we're too exhausted to track the issue, or any other tasks end up taking centre stage. They are always right in assuming that this is always just a matter of minutes. Hardly anyone ever complains about privacy violations, even those involving the youngest members of our society. Because - they say - what's the point?

Data breaches in colleges and universities started to become significant around the early 2000s. One of the earliest documented instances occurred in 2002 when Yale University experienced a breach initiated by intruders from Princeton, who accessed data regarding Yale’s admissions decisions. This event marked one of the first major breaches in the higher education sector and highlighted the vulnerabilities within these institutions.

When Breaches Scale, Harm Scales

Since then, breaches have become more frequent and sophisticated, involving large volumes of personal data including social security numbers, health information, and financial details of students, faculty, and staff. Notable subsequent breaches include a major incident at the University of California, Los Angeles in 2005, where a hacker accessed private data of nearly three-quarters of a million people. This breach underscored the scale at which these incidents could occur and the extensive personal and institutional harm they could cause​ (College Consensus)​.

The increasing occurrence of these breaches over the years highlights the critical need for robust cybersecurity measures within educational institutions to protect sensitive information from unauthorized access and ensure privacy and security for all members of the campus community.

Canada's Quiet Zone

Which brings us to Canada, where security incidents and data breaches are a matter of great embarrassment, to the point where public disclosure only happens as a last resort. In effect, a culture of secrecy is well entrenched despite the regulatory changes enacted back in November 2018 that require private sector organizations to disclose such incidents, particularly if they carry a “real risk of significant harm” (RRoSH). Clearly not a lot of risk is carried by data breaches this side of the border, as colleges and universities very rarely report any incidents. Or maybe it’s the fact that the famous RRoSH test is left at the discretion of the organization accountable for the breach in the first place.

Regardless, when, according to the CBC, “earlier this week, administration at the University of Winnipeg confirmed a ‘threat actor’ managed to gain entrance to its system, and that the university took its network down to protect its data”, the University also declined to provide any further details.

My reaction? You don’t say! The university “declined to provide any further details”? The culture in Canada  and in any other country where enforcement of privacy and security legislation is weak  basically indicates that unless an institution is legally forced to report anything, it will confess absolutely nothing.

We’ve known about undisclosed cyberattacks on higher education for decades but there’s been no shortage of disincentives to changing the status quo. For example, here are just five:

  1. Lack of legislation: for the first couple of decades of this millennium there was no law forcing breach disclosure.
  2. Lack of enforcement: now that we have a superficial degree of legislative support for breach disclosure; weak enforcement, investigative delays & lack of authoritative power on the part of various agencies perpetuate the situation.
  3. Lack of investment: in the absence of regulatory pressure and authoritative enforcement, why feed such an expensive cost centre, only to risk damaging public trust?
  4. Fear of reputational impact: as with the examples set by banks, telcos and other oligopolies, educational players don’t operate in a vacuum. They can’t just unilaterally report their biggest failures without all the others being impacted, so there’s a risk of repudiation by their would-be competitors that can leave those opting for transparency to experience reduced enrollment (read, profits).
  5. Finally, attribution is hard.

Attribution Is Hard, Silence Is Still a Choice

That last point is not an excuse for not sharing such critical information as the details and nature of a data breach, but it does add to the humiliation as it appears that not only did the organization get owned, it also does not know who did it.

Sadly, it appears that in the absence of breach notification, not only are individual victims left to fend for themselves, it also means that the institution hasn’t bothered to even notify their own insurance company, preferring instead to ‘contain’ the breach.

When Containment Becomes Intimidation

Interestingly, such practices are widespread in the higher and lower education space in Canada. I am reminded of one particular situation where the York Region District School Board tried to ‘contain’ a situation of their own creation, as they unilaterally decided to share some 113,000 student records with a local web start-up and didn’t bother to check the security or privacy of the platform, system or their own approach to ‘outsourcing’ their ill-fated learning management system.

‘Contain’ remained the mantra as I tried to explain to 'differently incentivized' administrators just how catastrophic a mistake it was to risk all this private data for students (some of whom have visible medical conditions) and parents that scarcely had any idea it was happening. All of it was ‘just’ my opinion, so they found it easy to dismiss, calling my intervention ‘disingenuous’ for suggesting that they overhaul the entire platform rather than just patch it here and there to obfuscate their mistakes.

Stop, Or We'll Say "Stop" Again!

After more than two years of investigations were carried out by the Federal Privacy Commissioner (OPC) and Ontario’s Information Privacy Commissioner (IPC), a number of recommendations were made to the board and their vendor, Edsby, to button up their practices, adopt industry standards and generally ‘do better’. As I recall, one of the OPC’s comments was that while information might have been compromised, it occurred before November 2018 when the law changed, so the company was under no obligation to report it. Ethics be damned.

Apparently that same lax approach to privacy and security led to the same company’s latest embarrassing blunder:

Compared to the enormous numbers of student records the company collects and shares with unnamed parties, this “data issue” is a drop in the bucket, but it will take some legal reform to give Privacy Commissioners enforcement powers. Until then, so-called edtech companies will continues to collect and compromise student personal data with impunity, particularly when public education bodies provide ample cover for them to do so.

As for the CBC article referencing international threats and foreign “bad actors”, it remains an issue, but in my humble-but-informed opinion, we’ve got bigger issues here at home where educational institutions at any level have weak controls and safeguards when it comes to:

  1. Student data collection constraints
  2. Consent and permission processes
  3. Retention and destruction practices
  4. Confidentiality, encryption and access control weaknesses
  5. Training and incident management
  6. Cybersecurity budgets and privacy compliance investments

More than everything, I find that accountability tends to remain a key concern despite the general knowledge that student data, the raw material powering the Canadian education space has not only been monetized by organized crime groups but also technology vendors that encourage the overcollection and oversharing of vast amounts of sensitive information.

The Easiest Indicator: Data Disposal

For a tip to determine whether your public board or higher learning institution of choice has adopted proper security and privacy practice, look no further than their data disposal practices. Any school board worth its salt will voluntarily and diligently insist on deleting all non-critical data from their own systems, and all information from their vendors’ platforms, putting the onus on these to ensure that their own supply chain also purges data.

In the absence of such practices ,  particularly with the frenetic race to adopt as many "edtech" AI tools as budgets will allow,  Canadian institutions will continue to remain an irresistible target for ‘entrepreneurial’ service providers and financially motivated cybercriminals.

To end on a positive note, I was fortunate to have been exposed to the worst aspects of public education governance, risk mismanagement and technology abuses, and have since redoubled my efforts at evangelizing the value of rebuilding parental trust and personal information protection.

If you'll forgive the opportunistic plugs, I think this is the ideal spot to highlight the positive outcomes that resulted in content and solutions to problems that many schools, boards and technology suppliers have been struggling with for many years:

  1. Quality information: A herculean effort to pull together insider information and fantastic guests resulted in a couple of seasons of the CybersecurED Podcast in collaboration with voicED Radio. (also available as a college and university course for educators, administrators and edtech implementors)
  2. PbD for Public Education: How do you build Privacy by Design into school boards? A Verify Privacy(tm) service from Managed Privacy Canada has been available since 2019. Share https://www.edtechprivacy.ca/ with parent councils and school board administrators to build protection ahead of the next breach by running board-wide privacy impact assessments and identifying risk, compliance hotspots.
  3. Cybersecurity still has a place in education: Back in 2016 when school boards began their ill-fated migration to the cloud, the irreversible damage affected more than privacy. Skilled tech workers were redundant as server rooms were made obsolete and student data was sent to data centres managed by venture capital-backed startups and foreign data centres. Datarisk Canada now offers a Verify EdTech Risk Assessment to conduct standards-based, confidential information security audits that can prevent data breaches in the first place: https://www.edtechsecurity.ca
  4. Reskilling Tech Employees: Speaking of the brain drain that followed the 'modernization' of school boards into today's mechanisms of longitudinal data collection, a major part of the reason why provincial auditors deplored the sorry state of public education cybersecurity is the lack of technical proficiency among IT staff. Since then, Informatica Education launched WorkLife Learning (https://www.worklifelearning.ca/), to not just train IT workers, but to professionally certify tangential roles and rebuild the trust of stakeholders.
  5. Public Education is Flooded with Sketchy AI Technology: One of the core requirements of AI procurement is explainability. Sadly, schools and boards are adopting cloud AI, SaaS and apps at such a high rate that due diligence falls by the wayside, making data breaches a near-certainty. www.AIrisk.ca is a project that makes vendor risk assessment manageable for school boards and higher education.
    Knowing the risk scores of service providers and technology suppliers year-round would go a long way towards stopping privacy violations and consent grab across Canada. Another Datarisk Canada project of critical importance is https://www.ai-security.ca/, where certified professional expertise meets global AI standards like ISO42001.

Without knowing how to secure the personal information of students and families, Canadian school boards are likely to keep replaying the same film over and over again, frustrating the public and continuing the humiliating erosion of institutions that used to be trusted with the generational details of our society's most vulnerable individuals.

For those readers with the ability to influence school board administrators to do the right thing, consider what is perhaps the most important way to reduce the attack surface: minimizing data collection and deleting all non-essential data at the end of each school year.