The Centre de services scolaire des Appalaches (CSSA) suffered a devastating cyberattack just three days before the scheduled school reopening on August 27, 2025, forcing a complete shutdown of its digital infrastructure and raising urgent questions about the resilience of Quebec’s education sector in the digital age.
How the Attack Unfolded: A Timeline of Digital Collapse
According to École Branchée, the attack began at 6:51 AM on August 25, 2025, when a local school reported a connection loss that would later reveal itself as a sophisticated cyber intrusion. The attackers had already spent weeks mapping the CSSA’s network, exploiting a “golden ticket” access to the Active Directory that granted them complete control over all user credentials. By midnight, they had created seven fraudulent accounts, exfiltrated 180 GB of data (approximately 273,000 files), and encrypted 454 workstations and all servers, rendering the entire system inoperable.
Patrick Touzin, the CSSA’s director of information technology, described the attack as “chirurgical” in its precision, noting that the entire operation took just 45 minutes from initial breach to full system lockdown. The attack’s efficiency—combining reconnaissance, lateral movement, and data exfiltration—demonstrates a level of sophistication typically associated with state-sponsored or highly organized criminal groups.
The CSSA serves 19 primary schools, three secondary schools, and multiple training centers across Chaudière-Appalaches, serving over 20,000 students. The attack’s timing—just days before the school year—highlighted the critical role digital infrastructure plays in modern education, where everything from attendance records to lesson plans now relies on interconnected systems.
Systemic Shutdown: What Was Lost and What Wasn’t
In the immediate aftermath, the CSSA took drastic measures to contain the breach. As reported by Le Courrier Frontenac, the organization disconnected all IP telephones, computers, and Wi-Fi networks to prevent further data leakage. Employees were left without access to digital records, forcing a return to paper-based workflows—a scenario that would have been unimaginable just a decade ago.
The attack’s scope was extensive: 454 workstations and all servers were encrypted, and 180 GB of data—including sensitive student, staff, and administrative records—were exfiltrated. However, the CSSA’s response was swift. Unlike the 2016 ransomware attack that crippled the organization for weeks, this time the CSSA had invested in cloud-based backups and daily data snapshots, allowing them to restore critical systems within days. “We cannot achieve zero risk in IT, but since 2016, we’ve improved our ability to recover data faster and limit impacts,” Annie Moreau, a CSSA communications advisor, told reporters.
Despite the chaos, the CSSA managed to maintain the school year’s opening on August 27, though operations were severely disrupted. Teachers relied on printed materials, manual attendance logs, and even social media to communicate with parents. The CSSA’s ability to recover so quickly—despite the attack’s severity—suggests that the lessons of 2016 had been learned, even if the threat landscape had evolved.
The Ransomware Threat That Wasn’t (This Time)
One critical distinction in this attack was the absence of a ransom demand—a hallmark of traditional ransomware attacks. While the attackers exfiltrated data, they did not encrypt files for ransom, a tactic that has become increasingly common in recent years. Instead, as Le Beauce Media reported, the attackers threatened to leak the stolen data on the dark web unless their demands were met.
This shift in tactics reflects a broader trend in cybercrime: attackers are increasingly focusing on data theft rather than encryption, as stolen records can be sold repeatedly on underground markets. The CSSA’s refusal to negotiate with the attackers—despite the threat to publish sensitive information—demonstrates a growing recognition that paying ransoms only emboldens future attacks. “We take these threats seriously, but we are committed to protecting our students and staff,” the CSSA stated in a public post.
The CSSA is now working with Quebec’s Centre opérationnel de cyberdéfense (COCD), the Ministère de la Cybersécurité et du Numérique, and private cybersecurity firm Précicom to investigate the breach. While no personal data has been confirmed as compromised, the CSSA is preparing for the possibility that sensitive records—such as student identities, medical information, or staff payroll data—may have been accessed.
A Parallel Crisis: The CSS du Fer’s Struggle
While the CSSA’s attack made headlines, another Quebec school board—the Centre de services scolaire du Fer—was simultaneously battling its own cyber crisis. As Radio-Canada reported, the CSS du Fer confirmed a suspected cyberattack on the same day, affecting all departments across its Sept-Îles, Port-Cartier, and Fermont locations. With nearly 1,000 employees and over 4,000 students, the board’s inability to access digital records forced a return to analog methods, including paper-based attendance logs and manual communication with parents.
The CSS du Fer’s director general, Marc-André Masse, emphasized that the attack’s origins and full impact remain under investigation. Unlike the CSSA, the CSS du Fer has not confirmed whether ransomware was involved, though the disruption—including blocked emails and disabled printers—suggests a similar breach. The parallel crises raise questions about whether Quebec’s education sector is facing a coordinated campaign or simply the inevitable consequences of an increasingly digital—and therefore vulnerable—infrastructure.
What Comes Next: Lessons and Uncertainties
The CSSA’s experience offers a case study in both the vulnerabilities and the resilience of modern educational institutions. While the attack was severe, the CSSA’s preparedness—learned from its 2016 breach—allowed it to recover critical operations within days. However, the threat of data leaks and the long-term reputational damage remain significant challenges. The CSSA’s decision not to negotiate with attackers sets a precedent for other organizations facing similar threats, but it also underscores the need for even stronger cybersecurity measures.
For Quebec’s education sector, the attacks serve as a stark reminder that cybersecurity is no longer an IT issue—it’s an operational necessity. The CSSA’s recovery efforts, while successful, required rapid adaptation, manual workarounds, and significant resources.
- Advanced threat detection: AI-driven monitoring to identify anomalies before they escalate.
- Decentralized backups: Ensuring critical data is stored in multiple, air-gapped locations.
- Employee training: Regular simulations of phishing and social engineering attacks.
- Incident response plans: Clear protocols for containing breaches and communicating with stakeholders.
- Collaboration with provincial cyber agencies: Leveraging resources like the COCD for real-time threat intelligence.
The CSSA’s ability to maintain the school year—despite the attack—demonstrates that even in the face of digital collapse, education can persist. But the long-term costs—disrupted learning, potential data leaks, and the erosion of public trust—highlight why cybersecurity must be treated as a priority, not an afterthought.
As of May 25, 2026, the CSSA has not disclosed whether the attackers were ever identified or if any charges have been filed. However, the incident has already prompted calls for provincial funding to help school boards upgrade their cyber defenses. With ransomware attacks on educational institutions rising globally, Quebec’s experience may become a blueprint for how other regions prepare for—and respond to—the next wave of digital threats.
The question now is whether these attacks will spur systemic change—or if they will be forgotten once the systems are back online.
