Durham Region Cyber Breach Information and FAQ

Posted On Monday May 10, 2021

The Regional Municipality of Durham has asked us to provide assistance in delivering their notice to Durham District School Board (DDSB) families about a cybersecurity incident that occurred with a third-party software provider used by the Durham Region Health Department.

Regrettably, this incident involved personal information of most DDSB students and their families. All school boards are required to share this personal information with their local public units, under the Immunization of School Pupils Act.

Please read the Regional Municipality of Durham’s notification letter that was sent to affected families by e-mail on Monday, May 10, 2021. Letters are also being sent to impacted families where we do not have an e-mail address on file. It outlines the nature of the cyber security incident and the steps the municipality has taken to address the situation.

The municipality has established a dedicated call centre to answer any questions you may have about the incident. Please call 1-833-526-0566, Monday-Friday, 9:00 a.m. – 4:30 p.m. with any questions you have. You can also visit durham.ca/CyberSecurity for any updated information.

We have been assured by the Regional Municipality of Durham that they have resolved the security vulnerability of their computer systems in this area.

Frequently Asked Questions

Why does the school board send personal information about students to the health unit, and what does the health unit do with this information?

Under the Immunization of School Pupils Act, the Durham District School Board is required to share this student and family information with the Durham Region Health Department. Public health units use this information to maintain immunization records of students and to plan and prepare annual vaccination efforts in local schools. The information includes student OEN numbers, names, date of birth, address, school location, grade and class information, in addition to parent/guardian name and contact numbers.

How many students at the Board have been affected by the Durham Region cyber incident?

At the Durham District School Board, approximately 73,000 students and their families have been affected.

What is the Ontario Education Number (OEN) and how is it used?

The Ontario Education Number (OEN) is one part of the data shared with the public health unit. It is a student identification number assigned by the Ministry of Education to elementary and secondary students across the province. The number, which is unique to every student, is used as the key identifier on a student's school records, and it follows the student through their elementary and secondary education.

The OEN allows school boards and the Ministry of Education to maintain reliable records on the movement and progress of individual students through elementary and secondary school.

Will the release of my child’s OEN compromise their personal information security at the Board?

The unauthorized disclosure of a student’s OEN poses a relatively low security risk that is being addressed.  

The DDSB uses OENs as part of our online authentication processes, to ensure parents and guardians have access to the information for their children only. For example, we use it for parents/guardians to set up an account to access to the parent portal and the online release of report cards in combination with other authentication steps.

In addition, as a result of the Durham Region cybersecurity incident, DDSB will no longer solely use OENs to authenticate any student information accessed by families.

Durham Student Transportation Services currently uses OEN and/or Date of Birth as part of their bus route look-up system. They are working on developing new, more secure authentication going forward.

Does the DDSB contact families asking for personal or credit card information?

No, the DDSB does not randomly contact families asking for personal or credit card information. While we do not have any reason to believe families will be contacted as a result of the cybersecurity incident, if you are ever unsure, please hang up or verify the e-mail received. You can always contact your child’s school at the contact information posted on the school website.

More information on phishing (a type of unsolicited e-mail) and how to protect yourself can be found in this helpful PDF explainer.

I have specific questions about the nature of the incident and the type of information released. Where do I go for answers?

The Regional Municipality of Durham has established a dedicated call centre to answer any questions you may have about the incident. Please call at 1-833-526-0566, Monday- Friday, 9:00 a.m. – 4:30 p.m. ET with any questions you have. In addition, please visit durham.ca/CyberSecurity for any updated information.