The Southern First Nations Network of Care says it was victim of a cyberattack in the early hours of Nov. 21 which has potential impacts on eight Child and Family Services agencies in Manitoba.

The major breach of the agency's information and technology system that forced a complete system shutdown is being treated as a criminal investigation, a spokesperson for the agency announced during a press conference in Winnipeg on Sunday afternoon.

Southern First Nations Network of Care spokesperson Jim Compton said the organization is working to determine the scope and origin of the attack and what personal information could have been accessed. Thousands of foster children, their families and foster parents may have had their data hacked.

"There is all kinds of information on there that could be compromised," he said. "At this point, we really don't know what. But what we do know is that the system is not working, and we have to come up with a contingency plan."

The network oversees 10 CFS agencies, which care for children from more than 30 First Nations representing about 15,000 community members in southern Manitoba.

Compton said eight of those agencies were affected:

Animikii Ozoson Child & Family Services.

Anishinaabe Child and Family Services.

Dakota Ojibway Child and Family Services.

Intertribal Child and Family Services.

Peguis Child and Family Services.

Sagkeeng Child and Family Services

Southeast Child and Family Services.

West Region Child and Family Services.

Two others — Child and Family All Nations Co-ordinated Response Network and Sandy Bay Child and Family Services — were not affected because they use a different system, he said.

Jim Compton, a spokesperson for the Southern First Nations Network of Care, said a ransomware attack forced the shutdown of IT services for eight out of its 10 agencies.

Compton said the system held information on children in care and their families, including case files and payment information for foster families.

"We thought we had a good system in place. That's why we had eight of our agencies on there," he said. "We thought we had the system protected, and it was breached."

Compton suggested someone illegally entered the agency's system and infected it with ransomware. He said he doesn't know where the attack came from or who was behind it.

Virus breach

An IT manager of one of the unaffected Southern agencies who was brought in to assist confirmed it was a virus breach.

"They identified the issue, they isolated the issue, they tried to cleanse it the best they could, and they tried to restore from backup," said Justin Richard, the IT manager of Sandy Bay Child and Family Services. "Once they realized that restoration was going to be an issue, we escalated the problem."

Justin Richard, an IT manager of Sandy Bay Child and Family Services, said they believe a virus introduced into the system created the problems. (Tyson Koschik/CBC)

Richard said servers on site were unable to remedy the issue. He said they believe a virus introduced into system created the problems, and while the data is still intact, they are having trouble accessing it.

Generally speaking, if data is compromised, there will typically be a large spike in information leaving the network — but that was not the case here, he explained.

Margaret Swan, the Southern First Nations Network of Care board chair, said she wanted to to limit what information about the breach is made available to the public given the nature of the investigation. Swan would not comment on whether the attackers demanded ransom, or if anything was provided.

"I just want to ensure that we limit what we put out here publicly," Swan told media. "It's very serious."

Margaret Swan, board chair of the Southern First Nations Network of Care, said minimal information about the cyberattack would be made public at this time. (Tyson Koschik/CBC)

The acting CEO of Southern First Nations Network of Care said during the press conference that all agencies have implemented their contingency plans and are working with teams to limit disruption.

"Quite simply, we do not have access to any sort of computers," Clemene Hornbrook said.

Hornbrook said they held an meeting with the province to request emergency assistance. As an authority, she said they currently receive $713,000 annually for IT services.

Clemene Hornbrook, the acting CEO of Southern First Nations Network of Care, said all affected agencies currently have no computer access. (Tyson Koschik/CBC)

All chiefs of the Southern Chiefs Organization have been briefed on the breach.

A spokesperson for Manitoba's Advocate for Children and Youth said the advocate's office was informed of the breach early Saturday by the provincial department of families and the Southern Authority.

"This is a very serious matter and we are extremely concerned," the spokesperson said in an emailed statement. "Our office is monitoring the situation, particularly how the confidential information of children and families is being protected, as well as the ability of the CFS system to provide ongoing service to Manitoba families."

In a news release Sunday afternoon, Manitoba Families said it was advised of the breach late Friday, and immediately took steps to ensure provincial systems and information remained safe.

The province is offering technical support and other resources to assist the Southern Network, and has been working collaboratively with other child welfare authorities to support service delivery in the southern agencies and across the province, the release said.

Staff from the Child and Family All Nations Co-ordinated Response Network will be available to provide necessary information to child welfare partners by phone or fax, including outside of business hours. The province is also limiting remote access to its computer systems to ensure security as this issue is resolved, the release said.

The province said the Canadian Centre for Cyber Security is investigating.

Compton said the Southern Authority has contacted the RCMP about the attack, and has also hired an independent company to determine what happened. RCMP confirmed its Integrated Technological Crime Unit (ITCU) is investigating. Police have not provided further details.

The Southern Authority held a press conference Sunday afternoon to release further details on what he called "a sophisticated attack" that infected their system with ransomware, rendering it unusable. Because the system is down, Compton said, they will have to access information for about 5,000 children in its care manually.

Compton said it is not known yet how many people are affected, but said personal information of children, families and foster families could be compromised.