The Rainbow District School Board has confirmed that sensitive data has been stolen from the board’s network as a result of the cyber incident that came to the board’s attention Feb. 7.
A full update on the situation, including a full list of those affected and data stolen, was published Feb. 20 on the board’s website.
Those affected include current and former employees of the board, as well as students, parents and guardians.
In North Bay, the Near North Board has confirmed that student information was compromised as part of a data breach,
SeeL Near North schools data breach affecting current and former students and staff
Sudbury.com has reached out to the Rainbow board, repeating an earlier interview request on the matter with Director of Education Bruce Bourget. We have yet to receive a reply as of this article’s publication.
Bourget previously declined our interview request on Feb. 18, when we attended the Rainbow board meeting, during which he provided an update on the cyber incident.
The board said that since it confirmed a cyber incident had affected the board’s network on Feb. 7, it has been working with cyber security experts to assess the impact, including whether any personal information was compromised.
“While this work is ongoing, we have been able to confirm that the perpetrators of this crime have stolen sensitive data stored on the Rainbow District School Board network,” said the school board, in the statement published on its website.
“We take this matter very seriously and apologize to all those who are affected. We understand this news will be as concerning to you as it is to us and we are deeply sorry.
“We have reported this cybercrime to the Greater Sudbury Police Service and the Ontario Provincial Police.
“While you are entitled to file a complaint with the Information and Privacy Commissioner of Ontario (IPC), please be advised that we have reported the matter to the IPC. You can visit the IPC’s website at www.ipc.on.ca.”
The board said in a FAQ that there is no evidence that data has been published anywhere. The possibility, however, remains.
It also said it is still recovering from the cyber incident, though schools are operating without any significant disruption.
The board said all staff members currently employed by Rainbow District School Board as well as those who worked for the board between January 2010 and February 2025 are affected. This includes full-time, part-time and occasional staff.
Personal information potentially includes addresses, phone numbers, SIN numbers, bank account numbers, police background checks and medical information such as doctors’ notes and leaves of absence forms.
Students and parents/guardians who have been associated with the board from 2011 to 2025 are also impacted.
That includes all students who graduated from Rainbow schools from June 2012 to June 2024, current and former students who have been enrolled in an ISP program since 2019, parents and guardians of the students identified above and former students since 2011 who received a scholarship and T4A for tax purposes.
Compromised data includes date of birth, home address, parent/guardian names and contact information, academic achievement data, medical provider’s identity, exceptionality assessment information, medical diagnosis, health card numbers and SIN numbers.
Also compromised in the data breach were school photos from the 2012-2013 school year up to and including the 2024-2025 school year, without names.
“There are no personal identifiers (i.e. student names) attached to the school photos, images of students only,” the board statement said.
A full list of those affected and data stolen can be viewed on the board’s website.
The board is providing a two-year TransUnion credit monitoring service, free of charge, to all current and former staff whose personal information was compromised.
It is also providing the same service to affected scholarship recipients whose social insurance number has been compromised and who have reached the age of majority.
“This service will help you monitor for signs of identity theft for fraudulent purposes so that you can react swiftly to protect yourself,” said the Rainbow board statement.
Those who qualify are asked to email [email protected] to request the credit monitoring service.
Sudbury.com would like to speak to those whose data has been compromised as a result of the Rainbow board cyber incident for a follow-up story. You can contact us at [email protected].
Heidi Ulrichsen is Sudbury.com’s assistant editor. She also covers education and the arts scene.