A Canadian school photography company says it was hit by a ransomware attack that held about 3,500 photos of students in several Saskatchewan school divisions hostage, among others across the country.
On Feb. 15, Edge Imaging contacted the office of the privacy commissioner to disclose a “cyber incident that may have affected school divisions across Canada,” according to a report released last week.
In a letter to the commission, Edge Imaging said the breach affected Entourage, the owner of its yearbook software web platform Creator Studio Pro, after the service noticed a breach of its Canadian Amazon Web Services cloud server “that may have affected uploaded images of school boards’ students and staff.
“On February 5, 2024, Entourage recognized a cyber incident on its cloud server due to a compromised username and password of one of its server accounts. The result was a ransomware attack where the threat actor removed photo images on a storage container on that server,” Edge wrote to Ron Kruzeniski, Saskatchewan’s privacy commissioner.
“We are advised by Entourage that the photos were ‘raw’ and likely contained no other identifying information such as associated names, schools, grades, location, or captions. Entourage recently commented that there may have been some metadata associated with the photos depending on the device from which the photos were uploaded. For instance, it is possible that metadata such as time the photo was taken and location of the photo may have been attached to some photos.”
According to Kruzeniski, just over 3,500 images of Saskatchewan students and staff were held ransom by the hackers, affecting people in the Horizon, Living Sky and Prairie Spirit school divisions.
In total, about 400 of the photography company’s clients were affected by the ransomware attack. The largest cache of photos stolen in Saskatchewan came from schools in Muenster and St. Brieux.
Edge, the Canadian photography company, said the attack was limited to its yearbook software service provider Entourage, and did not affect its own internal IT.
Edge told Kruzeniski’s office the images involved in the hack included a lot of candid photos of school events and clubs.
“Schools often upload photos of clubs, events or candid photos that are often included in a yearbook,” Edge told the commission. “Where we are the school photography provider, we do upload photos from the school photography sessions.”
Photos taken by Edge Imaging would have very limited metadata attached, but photos uploaded directly by schools for use in the yearbook, such as those captured by students and parents, could have more detailed information in the metadata, depending on the settings of each individual’s camera, the company said.
In his report, Kruzeniski writes that it’s possible the people in the photos could be identified.
“It is likely that some of the images as described by the school divisions and Edge, if not all, could lead to the identification of the individuals on them based on factors such as race, ethnic origin, age, appearance in a certain location, etc. This would then reveal information that is personal in nature about an identifiable individual. Based on this, I find that there is personal information involved.”
Many of the stolen files were later recovered by Entourage, Kruzeniski says, but given that his office has worked on cases where stolen data was found for sale on the dark web years later, “there are no assurances that the breach was fully contained.”
To read about the school divisions’ response to the privacy breach and Kruzeniski’s recommendations to prevent future breaches, read the full report here.