Cyber Breach at Regional Municipality of Durham



May 10, 2021


The Regional Municipality of Durham has asked us to provide assistance in notifying Clarington families a cybersecurity incident that occurred with a third-party software provider used by the Durham Region Health Department. Regrettably, this incident has affected the security of personal information for students and their families in our Municipality of Clarington schools. All local school boards are required to share this personal information with the Durham Health Department, under the Immunization of School Pupils Act.


Please read the Regional Municipality of Durham’s notification letter that was sent to affected families on May 10, 2021. It outlines the nature of the cyber breach and the steps the municipality has taken to address the situation.  In addition, please see the Frequently Asked Questions sheet below.


The Municipality has established a dedicated call centre to answer any questions you may have about the incident. Please call 1-833-526-0566, Monday-Friday, 9:00 a.m. – 4:30 p.m., with any questions you have. Please visit for any updated information.


This is a concerning matter to us as we take very seriously our obligations to protect the personal information of our students and families. We are assured by Durham Region that they have resolved the safety of their computer systems in this area.


Frequently Asked Questions


Why does the school board send personal information about students to the health unit, and what does the health unit do with this information?

Under the Immunization of School Pupils Act, the school board must share student information with the health units in our jurisdiction as part of the Board’s obligation. The

health units use this information to maintain immunization records of students and to plan and prepare vaccination efforts in local schools.


Does this breach have anything to do with health records related to COVID-19?

No, the affected records have nothing to do with COVID-19 cases, or COVID testing or immunization. The records are related to the regular, annual school vaccination program

administered by the Durham Department of Health. All school boards are required by law to provide this information to public health each year.


How many students at the Board have been affected by the Durham Region cyber breach?

At KPR, 8,833 students have been affected. All of the affected students attend our Clarington schools. The cyber breach has not affected any other regions of the Board’s



What is the Ontario Education Number (OEN) and how is it used?

The Ontario Education Number (OEN) is one part of the data shared with the Health Unit. It is a student identification number assigned by the Ministry of Education to

elementary and secondary students across the province. The number, which is unique to every student, is used as the key identifier on a student's school records, and it follows

the student through their elementary and secondary education. 

The OEN allows school boards and the Ministry of Education to maintain reliable records on the movement and

progress of individual students through elementary and secondary school.


Will the release of my child’s OEN compromise their personal information security at the Board?

The unauthorized disclosure of a student’s OEN should not pose any further security risk to a student or their family. The OEN is used for internal record keeping purposes, and

it does not unlock any additional information about a student or their family. KPR uses OENs as part of our online authentication processes, to ensure parents and guardians

have access to the information for their children only. For example, we use it as part of our summer school registration, online release of report cards, and so on. However, it

is only one of several authentication steps parents must take to access their children’s information. Parents also must use the unique PIN (Personal Identification Number)

assigned to each student by the school. This PIN was not included in any of the data provided to Durham Health Department. In addition, as a result of the Durham Region

cybersecurity breach, KPR will no longer use OENs to authenticate any student information accessed by families.

STSCO (Student Transportation Services of Central Ontario (STSCO) currently uses OEN and/or date of birth as part of their bus route look-up system. They have disabled that

feature at this time and are working on developing new, more secure authentication going forward.


I have specific questions about the nature of the breach and the type of information released. Where do I go for answers?

The Regional Municipality of Durham has established a dedicated call centre to answer any questions you may have about the incident. Please call 1-833-526-0566, Monday-

Friday, 9:00 a.m. – 4:30 p.m., with any questions you have. In addition, please visit for any updated information.