Durham District School Board

The names of staff at Durham District School Board who are not vaccinated for COVID-19 were exposed in a data security breach incident.

The board mistakenly attached a spreadsheet of the names of about 800 unvaccinated or undisclosed staff while sending out a “routine” email about rapid testing.

The board apologized to the affected staff and provided additional training for all staff involved with secure documents to prevent any such happenings in future.

Source: https://www.thestar.com/local-oshawa/news/2022/01/09/privacy-breach-names-of-unvaccinated-ddsb-staff-accidentally-shared.html

TPRM report: https://scoringcyber.rankiteo.com/company/durham-district-school-board

"id": "dur11424422",
"linkid": "durham-district-school-board",
"type": "Breach",
"date": "01/2022",
"severity": "75",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'industry': 'Education',
                        'location': 'Durham, Ontario, Canada',
                        'name': 'Durham District School Board',
                        'type': 'Educational Institution'}],
 'attack_vector': 'Human Error',
 'data_breach': {'file_types_exposed': ['Spreadsheet'],
                 'number_of_records_exposed': 800,
                 'personally_identifiable_information': ['Names of '
                                                         'unvaccinated or '
                                                         'undisclosed staff'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Personally Identifiable '
                                             'Information'},
 'description': 'The names of staff at Durham District School Board who are '
                'not vaccinated for COVID-19 were exposed in a data security '
                'breach incident. The board mistakenly attached a spreadsheet '
                'of the names of about 800 unvaccinated or undisclosed staff '
                'while sending out a “routine” email about rapid testing. The '
                'board apologized to the affected staff and provided '
                'additional training for all staff involved with secure '
                'documents to prevent any such happenings in future.',
 'impact': {'data_compromised': ['Names of unvaccinated or undisclosed staff']},
 'lessons_learned': 'Proper handling and verification of sensitive information '
                    'before sending emails.',
 'post_incident_analysis': {'corrective_actions': 'Additional training for '
                                                  'staff',
                            'root_causes': 'Human error in email '
                                           'communication'},
 'recommendations': 'Implement stricter protocols for handling sensitive data '
                    'and conduct regular training sessions for staff.',
 'response': {'communication_strategy': ['Apology to affected staff'],
              'remediation_measures': ['Additional training for staff involved '
                                       'with secure documents']},
 'threat_actor': 'Internal',
 'title': 'Durham District School Board Data Security Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Improper handling of sensitive information'}