Skip to main content

Investigation reveals thousands had info exposed in P.E.I. arts centre data breach

A cyberattack was first reported by the Confederation Centre of the Arts in January. A cyberattack was first reported by the Confederation Centre of the Arts in January.

The full impact of a data breach at Prince Edward Island’s largest arts centre is now clear. The results of a recently completed investigation show thousands of people had their personal information exposed.

The cyberattack was first reported by the Confederation Centre of the Arts in January. In February, officials confirmed it was a ransomware attack, which exposed some personal information held on the organization’s servers.

“A ransomware attack is where criminals will encrypt or scramble the data and systems of an organization preventing them from being able to access it or use it, essentially rendering it all useless,” said David Shipley, CEO of New Brunswick-based cybersecurity firm Beauceron. “Then they hold it for an extortion payment.”

The centre did pay a ransom to the attackers, but didn't disclose the amount paid.

The recently completed investigation into the breach found about 3,000 people were exposed, some just names and email addresses, but others had their date of birth and social insurance number exposed.

“The attack basically took down our entire IT infrastructure,” said Jodi Zver, Confederation Centre of the Arts’ chief financial officer. “We had to rebuild everything from the ground up, new servers, new everything. That took a very long time, and until we had that done we didn’t have access to the data that told us whose information was there.”

Officials say the affected people have been contacted, with the highest risk being offered credit monitoring and insurance.

This isn’t the first time something like this has happened in the region. The City of Saint John was hobbled after its information technology systems were targeted by a similar attack.

Experts say municipal governments and small non-profit organizations are easy targets.

“These organizations do not, generally, have IT teams and they certainly don’t have robust cybersecurity in place,” said Shipley. “So if you have the choice between going up against a global bank with a half a billion dollar security budget and few thousand eager cybersecurity professionals, or you can pick on the little kids.”

The Confederation Centre’s new system has improved backups and monitoring, as well as new information management policy.

“We’re not storing people’s personal information,” said Zver. “So if or when this happens again then we’ll be fine because we know the information wasn’t there for them to take.”

Officials say the box office and payroll system was not breached, so stored financial information should have remained secure.

The vast majority of successful cyberattacks are against people, not IT infrastructure. Attacks include getting members of an organization to click on a bad link or login to a fake website. Experts say the only real way to prevent these kinds of attacks is with improved training for staff and better cybersecurity protocols. 


This is a corrected article. A previous version incorrectly stated the Confederation Centre did not pay the attackers a ransom. Top Stories

Stay Connected