Hackers have stolen an undisclosed number of student images, including roughly 160 from four schools in Calgary, following a data breach.
Kristen Gobeil alerted Global News after receiving an email from the Calgary Board of Education (CBE) on February 11, advising that her daughter’s school had been hit by the privacy breach.
“Pictures were stolen — of children,” Gobeil said incredulously.
“It’s a very, very scary situation for me.”
The CBE’s email explained that Edge Imaging, a Canadian company that helps schools create yearbooks, informed it on Feb. 9 that its cloud storage service provider had experienced a cyber-security breach, leading to unauthorized access to student images.
The CBE said it had been assured that no identifying information had been accessed, and Edge was taking the appropriate steps to find out what happened and how.
Gobeil reached out to Edge and said she was told the same thing.
“The initial email was, ‘We (Edge) take this very seriously. The FBI has been involved and we are reporting to the Canadian counterparts as well,'” Gobeil said she was informed.
What happened
Edge Imaging posts on its website that it is “the largest Canadian-owned and operated school photography and yearbook company” and that it has been in business since 2005.
It also said it currently services nearly 3,000 schools and is proud to lead the industry in privacy and security.
CEO Jim Agnew told Global News his company was not to blame for this cyber hack.
“Recently we were advised that one of our service providers, Entourage (the owner of the “Creator Studio Pro” yearbook software web platform), had a cyber incident on its Canadian AWS cloud server where images from 2022/23 and 2023/24 yearbooks may have been accessed.”
“We want to make it clear that at no point were Edge Imaging’s own IT systems accessed or impacted. This incident arises fully from an attack on Entourage’s platform.”
Agnew said Edge has made it clear to their vendor that what happened was “unacceptable and that we expect to be advised of the findings of a full review of their security practices.”
Agnew wouldn’t share how many Canadian schools or students this privacy breach may have impacted but added the affected schools have all been contacted.
He also said the company would be providing “dark web monitoring” for the affected files.
“That was really scary to me because you just assume ‘dark web’ equals bad things,” Gobeil pointed out. “You just don’t know what someone is going to do with an image of a child.”
CBE response
The CBE said it takes these kinds of incidents seriously and informed parents as soon as possible to ensure they were aware of the issue.
- As Loblaw boycott begins, what to know about all the company’s brands
- Poilievre allowed back in House of Commons after getting kicked out Tuesday
- $34B Trans Mountain pipeline expansion project opens after years of construction
- N.S. man stuck abroad due to lack of available hospital beds ‘in our own province’
Gobeil argued she would have appreciated more than just “a general email” adding it shouldn’t have been up to her to try and get more answers.
Some of which, she said, she still doesn’t have.
“We don’t even know if it was our child,” she pointed out. “That uncertainty is even scarier to me.”
Cause for concern?
University of Calgary professor and cyber-security expert Dr. Ryan Henry told Global News affected parents have cause for concern.
Henry said it’s hard to say how bad the implications can be, but they can be pretty severe.
“One of the really scary things about these sorts of security and privacy threats is that the kind of entities that engage in these kinds of behaviours often have more vivid imaginations than you or I and come up with things that are shocking, in retrospect that you would never expect,” he said.
“There’s lots of nasty things that somebody could potentially do with these photos.”
Henry’s advice to parents — think carefully before allowing images to be taken and posted.
“You’re trusting the entities that you have entrusted with that data to protect it and if that trust was misplaced — there’s not much you can do after the fact.”
Comments