Ontario’s Education Quality and Accountability Office (EQAO) confirmed to Toronto police that it has sustained a cyber-attack that disrupted efforts to conduct the Grade 10 literacy exam for the entire province. Nearly 150,000 students across Ontario were affected by the attack.
The testing agency was conducting a $250,000 pilot project to move the examination process online when a sustained Distributed Denial of Service (DDoS) attack overwhelmed the system, which was built to handle the equivalent of 250,000 students and up to 10,000 teacher supervisors.
Looking for a market for cyber security? Find cyber security coverage here
“I’m not sure if this kind of thing can ever be figured out,” EQAO director of assessment Richard Jones told
Toronto Star. “There were IP addresses from all over the world, and to find the source is a really difficult thing. We are moving forward and trying to uncover as much information as we can.”
Cyber security lawyer Imran Ahmad of Miller Thomson LLP commented that the EQAO “should have foreseen this type of scenario,” as such attacks have become increasingly common.
“This should not come as a surprise; any kind of online interface is inherently vulnerable,” Ahmad explained, adding that the EQAO should have hired a cyber security third party to weed out the “bad” traffic that occurs in DDoS strikes.
At least one school in Egypt, Ontario managed to complete the examination well before 8 a.m., Jones noted.
“And then at 8 a.m. our time, there was a huge influx of junk traffic from IP addresses from all around the world, inundating our host application for the assessment,” Jones said. “As far as I’m concerned, they were absolutely targeting us. Somebody knew the timing and somebody knew the IP addresses to attack.”
Almost 16,000 teens in Ontario managed to complete the test, despite four hours of technical difficulties caused by the attacks. The EQAO is deliberating whether to give those students credit for their efforts.
The
Toronto Star reports that IT experts and a third-party forensic team spent the weekend investigating the breach and offering cyber security advice to the EQAO.
Although information was not stolen during the cyber-attack, Ahmad argued that it still dealt considerable damage.
“I’m pretty sure there’s a financial cost to this at some level” he said, noting the number of hours spent preparing the pilot program. “They’ll have to go back to the drawing board, and it’s very difficult to layer on security after the fact.”
Related Stories:
Are SMEs underestimating their cyber exposure?
There’s more to cyber than your clients might think – how can you sell it?
