A significant data breach involving PowerSchool, a widely used student information system, has raised alarms across educational institutions in Canada, impacting the privacy of students and educators. Investigations are underway amid concerns over the handling of sensitive personal information.
According to Alberta’s Information and Privacy Commissioner Diane McLeod, her office is currently reviewing 31 breach notices submitted by educational institutions following the unauthorized access to data from December 22 to December 28, 2024. The breach, which is part of a larger trend of cyberattacks, has raised serious privacy concerns, especially as it directly affects children.
“I take the privacy rights of Albertans, and particularly children, very seriously,” McLeod said. “We are working with the affected educational institutions to mitigate the risks to those affected by the breach.”
The fallout from this incident is substantial, affecting various Alberta school boards, including Edmonton Catholic School Division, St. Albert Public Schools, and Rocky View Schools. Students' names, dates of birth, phone numbers, genders, and other sensitive information, such as allergies and personal health information, were compromised.
The breach has not been contained to Alberta alone; institutions from across Canada, including those in Manitoba and the Maritimes, reported similar breaches related to PowerSchool’s software. The Privacy Commissioner of Canada, Philippe Dufresne, has also launched his own formal investigation. He stated, “My immediate focus is on ensuring the company is taking the necessary steps to address the issue and protect Canadians’ personal information.”
Many educational institutions are working to inform their communities about the breach. For example, Manitoba’s school boards have pledged to notify affected families. Some institutions reported their students’ data being part of the incident, with western provinces particularly hit hard. “PowerSchool will notify affected Canadians and will be offering credit monitoring and identity protection services,” Dufresne added, indicating the gravity of the situation.
PowerSchool’s investigation revealed the breach was executed through one of its customer-support portals, which allowed unauthorized access to sensitive data. The company, headquartered in Folsom, California, acknowledged the breaches and stated they are working with Canadian officials to fully assess the impact of the breach.
Specific details from breach reports indicated the data exposed includes students' personal identifiers along with potential access to medical and health-related information. This upcoming inquiry by the OIPC and the Canadian Privacy Commissioner aims to determine the scale of the damage and prevent future incidents.
Educational authorities are cooperating closely with privacy regulators to understand the full scope of the breaches and to assist those affected. Reports indicate some of the compromised data may also include educators' personal information, heightening concerns around the protection of sensitive educational data.
Alberta’s privacy authority emphasized the importance of notifying those affected and mitigating the risks associated with having their data exposed. They have been working closely with regulators across the country to address the issues and resolve the privacy concerns for Canadians involved within the education sector.
PowerSchool is offering two years of identity protection and credit monitoring services as part of their response to the breach, encouraging all affected individuals, including students and educators, to register for these services to safeguard their information.
The increasing frequency of such breaches has led officials to call for more rigorous data security measures. Dufresne remarked, “We need organizations to prioritize information security, especially when it involves data of children.”
Overall, this incident is part of larger concerns about cybersecurity within education attributed to inadequate protections for sensitive personal information managed by third-party software vendors. Many affected institutions are left dealing with the ramifications, and the sector may undergo significant scrutiny moving forward to bolster protections and trust.