A Freedom of Information request by Sudbury.com reveals Rainbow District School Board spent $680K on professional and legal services and credit monitoring following 2025 cyber incident
Editor’s note: This article originally ran on Feb. 26 but is being reprinted this weekend for those who may have missed the story on its original run.
With a Sudbury.com freedom of information request revealing the February 2025 ransomware cyber incident affecting the Rainbow District School Board cost the board more than $680,000, a cyber security expert said he’s not surprised by that figure.
Nor is Ritesh Kotak surprised that the cost of Laurentian University’s 2024 cyber incident involving a ransom demand has risen to more than $1 million.
“These numbers don’t surprise me, and quite frankly, we are seeing an increase in the cost of recovery when it comes to cyber-related incidents,” Kotak said.
Kotak is a Toronto-based lawyer whose area of practice includes cyber security, and who also used to work in big tech and in law enforcement in the area of cyber crime.
He has spoken to us about the recent cyber incidents in Sudbury several times now, putting them within the context of the national picture, where such events are becoming commonplace.
Other targets have included the City of Hamilton and the Toronto Public Library, as well as the PowerSchool system, an American application used by school boards to store student and staff information (local boards fortunately don’t use that system).
The Rainbow board and Laurentian cyber incidents were disruptive as well as costly, involving technology being unavailable for an extended period of time, as well as data breaches.
Freedom of Information request uncovers amount
In December, Sudbury.com learned that at the time of the 2025 cyber incident, the Rainbow board had cyber insurance of $500,000 through the Ontario School Board’s Insurance Exchange (OSBIE).
We asked the board in December the specific cost of the cyber incident, but they told us only that it fell within the board’s insurance coverage of $500,000, hence our request under provincial freedom of information legislation.
The information we got back from the board March 3 broke down the costs as such: $585,698 for legal and professional services and $94,583 for credit monitoring protection, for a total of $680,282.
In light of this information, Sudbury.com questioned the board further this month.
In a written statement, the board said it has now settled with OSBIE, with $500,000 covered by insurance, and a $100,000 deductible (there were actually two $250,000 policies, each with a $50,000 deductible). There will be $80,282 in costs above the insurance and deductible.
The board said it anticipated the additional cost will be accommodated within its current budget, although no specific envelope has been identified at this time.
Asked why the total cost was higher than what was stated in December, the board said the cost for “eDiscovery work” done by a consultant to examine the data breach associated with the cyber incident was based on an estimate at that time.
“The actual costs were higher than expected,” the board said.
Kotak said public institutions such as universities, colleges and school boards are “continuously” getting hit by cyber attacks, in a combination of “legacy systems” and not making adequate investments in cyber security, with insurance giving them a false sense of security.
“The insurance model is really simple,” he said. “It’s collect the highest amount of premiums and pay out the least amount.
“One thing that I’ve noticed recently, and also with the clients that I work with, is there’s been times where the insurance company has said, ‘We’re just not going to pay because of several factors,’ some of those factors being the organization didn’t do their due diligence. Employees weren’t properly and adequately trained.”
Affected people ‘unlikely’ to exceed 30,000
Given the board also revealed in December that the data breach associated with the cyber incident exposed decades worth of data (believing the risk of data misuse to be low), we also requested through our FOI the estimated number of people affected by the data breach.
The answer from Rainbow was that “the estimated number of people affected by the data breach is unlikely to exceed 30,000 individuals.”
Sudbury.com had already asked that question in an earlier FOI made a year ago, at which time the board said “no estimate has been compiled at this time.”
It’s only through our earlier FOI that it was revealed that the nature of the cyber incident and subsequent data breach that affected the Rainbow board in 2025 was ransomware, and a ransom demand was made.
We also sought to find out through our filing how much was demanded through the ransom, if a ransom was paid, and if so, how much.
However, the board has so far refused to answer those questions, first citing exemptions under provincial legislation and then revising their answer to our request, saying the records don’t exist.
Sudbury.com has an active appeal on this matter through the Information and Privacy Commissioner of Ontario.
We also repeated this portion of our request informally to a board spokesperson this week, who replied we’d hear from the board on the matter by March 12.
Kotak said if the Rainbow board paid a ransom, it could be included in the “legal and professional services” portion of the costs we received through the FOI, as it could have been paid by the consultants they retained to deal with the cyber incident.
In its case, Laurentian said it also received a ransom demand in its 2024 cyber incident, but did not pay.
Ransomware threats increasing and evolving
As outlined in the Canadian Centre for Cyber Security’s Ransomware Threat Outlook for 2025-2027, which was released in January, ransomware incidents in Canada are on the rise overall, and continue to increase annually across most sectors.
Kotak said ransomware involves hackers injecting malware into an organization’s system, and then holding the system ransom until money is paid, usually in the form of cryptocurrency.
It usually infects a system through an unwitting employee being sent an email, clicking a link and downloading the malicious software.
“Ransomware is definitely on the rise,” Kotak said. “One of the big reasons for it is it’s very, very lucrative. It’s high reward, low risk.”
There’s been a 26-per-cent average year-over-year increase in Canadian ransomware incidents known to the cyber centre since 2021, said the cyber centre report.
“The ransomware threat in Canada continues to increase and evolve quickly,” said the report. “Threat actors are leveraging various sophisticated tactics to carry out cybercrime. We assess that ransomware actors operating against Canadian targets are almost certainly opportunistic and financially motivated.”
Canadian critical infrastructure “will likely continue to be a desirable target due to the perception that these organizations are more inclined to pay ransom demands to minimize disruptions,” said the cyber centre.
The report said the core membership of these cybercrime groups is most likely Russian speaking and operating out of the Commonwealth of Independent States (CIS) — a group of former republics of the Soviet Union — although their affiliates operate globally.
The agency also recently issued a cyber threat bulletin in light of the conflict between Iran and the United States and Israel.
“Iran will very likely use its cyber program to respond to the joint U.S. and Israel combat operations against Iran,” with possible responses including cyber attacks against critical infrastructure, said the agency.
The cyber centre also predicts that cyber criminals will “almost certainly” adopt AI in their activities as the technology becomes more advanced.
High toll: Cost is not the only problem
Following an increase of $200 million from 2019 to 2021, the total recovery costs associated with cyber security incidents in 2023 doubled to $1.2 billion (all figures in Canadian dollars), the report said.
Ransomware payments have fluctuated over the past four years, which could be a result of fewer or smaller payments made by victims combined with an increase in the total number of Canadian victims, said the report.
By one estimate, the average ransom paid in Canada in 2023 was $1.13 million, an increase of almost 150 per cent in two years, said the cyber centre.
Statistics Canada said that in 2023, about one in six businesses were impacted by cyber security incidents.
But Kotak said there are actually “very poor numbers” available when it comes to cyber attacks, as there’s no obligation to report them unless personal information is breached, but he does know they’re increasing.
Our interview actually came during Fraud Prevention Month, an annual awareness campaign designed to help people recognize, reject and report fraud.
He urges organizations to invest in their cyber security infrastructure and just deploy a “zero trust” protocol.
“Don’t trust those links that come in,” said Kotak, advising people to instead verify their authenticity by going to the source.
Asked if organizations should be worried, Kotak said they do need to be worried. And it’s not just the cost that’s the problem.
“I deal with organizations all the time that go through a breach,” he said.
“Now it’s really easy to break down numbers. It’s probably the easiest part. What’s really hard to understand, and this is what I try to tell my clients or people, is that there’s human beings dealing with this stuff.
“I’ve seen some situations where IT directors have had to go on stress leave. Members, you know, were just devastated. … So cyber attacks aren’t just about the numbers. It’s also the toll it takes on humans when they’re in the midst of a breach. Like there’s a very significant human component to this.”
Heidi Ulrichsen is Sudbury.com’s assistant editor. She also covers education and the arts scene.
