'Dysfunctional' child welfare authority left itself open for cyberattack, Sandy Bay CFS says
Southern CFS authority published blueprint of its internal IT network on its website
An authority responsible for the care of thousands of foster children in southern Manitoba left itself open to hackers and ignored warnings that its internal information technology network was at risk, according to the head of one foster care provider.
"I don't want to be the guy, but I told you so," said Richard De La Ronde, executive director of Sandy Bay Child and Family Services. "It was a concern for us."
The Southern First Nations Network of Care — tasked with overseeing the care of more than 5,000 foster children in southern Manitoba through 10 agencies — was the victim of a ransomware attack on Thursday morning.
Sandy Bay CFS is among those agencies, but it was not affected by the cyberattack.
The attack has rendered the Southern First Nations Network's entire internal IT system — used by eight of its 10 CFS agencies for everything from emailing about foster cases to tracking financial information — completely unusable.
IT security details published on website
The authority published specific information on its website about how its IT system was set up — including what software was used and where its data was located — which made it vulnerable to cyberattack, De La Ronde said.
Whoever hacked the virtual local area network (VLAN) "only had to attack the one to put all the other eight out," he said.
Sandy Bay was not affected by the ransomware attack because it's on a separate network, having previously refused to join the larger IT network over concerns about its cost and security control.
"Agencies are now scrambling when we've been saying for the last 10 years, 'You should have some sort of backup.'"
The Southern First Nations Network spent $1.7 million last year on IT support, or about three per cent of its overall budget, according to its latest financial statements.
At a press conference on Sunday, the SFNNC called on the province to provide more money to help with information technology, but would not say how much it needed or what the money would be used for.
"Now we have eight agencies that are scrambling for IT," De La Ronde said. "They're asking the province for IT dollars to help them get set up, when Sandy Bay was able to do that without asking the province or the feds for dollars."
The southern authority referred to the cyberattack as a "ransomware" attack — generally, one in which a hacker demands payment to unlock a system.
At Sunday's news conference, the authority would not answer questions about whether a ransom had been demanded, or if any money was paid.
'Bigger problems ... than this virus'
The cyberattack on the southern authority is just a symptom of a "dysfunctional" organization, De La Ronde said.
The authority recently appointed Margaret Swan as its board chair. She was convicted of stealing $35,000 from Lake Manitoba First Nation when she was the community's chief in 2000.
"Administratively, financially, IT-wise, there are some bigger problems there than this virus," he said.
"Sandy Bay certainly has no faith in the current board at the authority, no faith in that organization. We're concerned that our funding is going to flow through there," he said.
The Southern First Nations Network has an operational budget of $58 million in provincial funding.
"We have zero confidence in their ability to manage our funds and manage our IT services at this time."
CBC News contacted the Southern First Nations Network of Care for comment on Tuesday, but had not received a reply by deadline.
De La Ronde said in recent years, instead of creating better standards and regulations to improve care, the authority has created barriers, including delays and "huge" discrepancies in funding.
"There's been delays when our money has flowed through the authority," he said. "There's been inconsistencies in terms of what the province said our funding would be, compared to what the authority said our funding was going to be…. That was concerning for us," he said.
De La Ronde wants the province to place the SFNCC in administration. That would allow the Southern Chiefs' Organization — which oversees the board of the authority — and the province to look at what has been going on.
The province is not considering that as an option, according to Braeden Jones, the press secretary for the minister of families.
Province providing technical support
The minister deferred questions on the cyberattack to her department.
"I think they're the best people to bring us up to speed in terms of what is going on. I know there are meetings … and they will be giving regular updates," Families Minister Heather Stefanson said on Monday when asked about the breach.
"We need to get to the bottom of the security breach, and so we've offered our technical supports. We'll see where we go from there," Stefanson said Tuesday when asked whether the province would provide financial support.
No clear answer on safety of files
Manitoba's First Nations family advocate said it's still not clear whether the information of vulnerable foster children is safe after the Nov. 21 ransomware attack.
"I wanted to make sure it wasn't going to put children in unsafe situations, hamper families' abilities to visit their children, have access to children, or be reunified with their children," Cora Morgan said.
"I don't know the answer to that yet."
Morgan said the IT systems and software used by Manitoba's foster care system are outdated and have long been flagged as needing an overhaul.
"It also has the potential to be a huge breach of confidentiality," she said.