Home News Limestone School Board Breach

Limestone District School Board Cyberattack Exposes Decades of Staff and Student Data

A cyberattack on the Kingston-area school board compromised personal information spanning nearly three decades.

May 8, 2025 By CyberSafe Threat Intelligence Team Canada Education

The Limestone District School Board (LDSB) in Kingston, Ontario has confirmed that a cyberattack on April 17, 2025 resulted in the theft of personal information belonging to current and former staff, most current students, and parents or guardians. The breach is notable for its scope, with stolen staff records dating back to 1998, making it one of the most extensive data exposures in the Canadian education sector.

What Happened

On April 17, 2025, the Limestone District School Board detected unauthorized access to its network. The board immediately engaged cybersecurity incident response professionals and launched an investigation. The forensic analysis determined that threat actors had gained access to internal systems and exfiltrated files containing personal information before the intrusion was contained.

The board reported the incident to the Kingston Police Service and the Ontario Information and Privacy Commissioner (IPC). While services were disrupted in the immediate aftermath, the board was able to restore most systems within weeks of the attack.

Scope of the Data Exposure

The breadth of compromised data is significant, spanning nearly three decades of records:

  • Personal information of current and former staff members dating back to 1998, including names, addresses, Social Insurance Numbers, dates of birth, and employment records
  • Student information for most currently enrolled students, including names, dates of birth, addresses, and student identification numbers
  • Parent and guardian contact information and emergency contact details
  • Some medical and special education records associated with student files

The retention of staff records dating back 27 years highlights a challenge common across the public sector: legacy data that remains accessible on modern networks long after its operational usefulness has passed.

The MUSH Sector Under Attack

The LDSB attack is part of a broader pattern of cyberattacks targeting Canada's MUSH sector, comprising municipalities, universities, school boards, and hospitals. These organizations often face constrained IT budgets, aging infrastructure, and large volumes of sensitive personal data, making them attractive targets for cybercriminals.

In recent years, Canadian school boards in Hamilton, Durham Region, and Toronto have all experienced significant cyber incidents. The education sector's reliance on shared platforms, limited security staffing, and broad user populations of students and educators creates a challenging security environment.

Response and Recovery

The Limestone District School Board has taken several steps in response to the breach:

  • Restored affected systems and services within weeks of the attack
  • Offered two years of complimentary TransUnion credit monitoring to affected individuals
  • Established a dedicated information line for affected staff, students, and families
  • Filed reports with Kingston Police and the Ontario IPC
  • Engaged external cybersecurity experts to harden systems and prevent future incidents

Protecting Your Information

If you are a current or former staff member, student, or parent associated with the Limestone District School Board, CyberSafe recommends the following actions:

  • Enrol in the complimentary TransUnion credit monitoring offered by the board
  • Monitor your credit reports with both Equifax Canada and TransUnion for unfamiliar accounts or inquiries
  • Be cautious of phishing emails or phone calls referencing the school board or your personal details
  • If your SIN was potentially exposed, contact Service Canada to discuss protective measures
  • Report any suspected identity fraud to the Canadian Anti-Fraud Centre

Education Sector Security Recommendations

CyberSafe advises school boards and educational institutions to strengthen their cybersecurity posture with the following measures:

  • Implement data retention policies that minimize the volume of historical personal data stored on active systems
  • Deploy multi-factor authentication for all staff accounts, particularly those with administrative access
  • Segment networks to isolate sensitive student and HR data from general-use systems
  • Conduct regular vulnerability assessments and penetration testing of internet-facing systems
  • Establish incident response plans tailored to the education sector with help from security consulting services
  • Invest in security awareness training for staff and educators to reduce the risk of phishing-based intrusions

How CyberSafe Can Help

Our Offensive Security Services provide vulnerability assessments and penetration testing tailored to education institutions. Combined with Consulting Services, we help develop incident response plans and security awareness programs to protect student and staff data.

Sources