School boards across Canada are grappling with the fallout from a major cyberattack on PowerSchool, a widely used management software platform.
The breach, which affected school boards in six provinces, may have compromised sensitive personal information of students, including names, addresses, health card numbers and medical details.
The US-based company said the unauthorized access to its system occurred between December 19 and 23, 2024, and involved “limited student and staff data.”
PowerSchool informed school districts this week that hackers infiltrated their systems using a compromised credential to gain access to one of their portals: PowerSource, a spokesperson told CTVNewsToronto.ca in an email.
PowerSchool says the compromised data has since been deleted and the compromised credential has been disabled and password and access control for all accounts has been tightened, according to the statement.
What was the objective?
The breach potentially exposed data from two tables housed in PowerSchool’s ‘Student Information System,’ a central database that includes contact information for families and educators, according to a PowerSchool spokesperson.
“Each district will be a little different in terms of the data stolen. But this was the main table…the attackers essentially stole a list of all the children in the district for the affected districts,” Mark Racine, a security consultant for school boards, told CP24 in an interview.
A PowerSchool spokesperson also told CTVNewsToronto.ca that “for a certain subset of customers” these tables may also include the Social Security Number (SSN), the US equivalent of the Canadian Social Security Number, other personally identifiable information (PII ) and limited medical and medical data. qualification information.
alberta
Several school boards, including the Calgary Board of Education and Rocky View Schools (RVS), the public school division serving students in west, north and east Calgary, have notified parents about a breach in their system and are investigating to determine how much information was accessed.
Edmonton Catholic Schools, St. Albert’s Catholic, Greater St. Albert Catholic and Elk Island Public Schools are also among the school boards affected.
ontario
Toronto area school boards, including those in Peel, York and Toronto itself, are confirmed to be affected by the cybersecurity incident. The Durham District School Board confirmed to families who had been affected by the data breach; However, Ontario’s Information and Privacy Commissioner told CTVNewsToronto.ca that Durham had not contacted them.
Ontario’s Information and Privacy Commissioner told CTVNewsToronto.ca in an emailed statement that the following boards were also affected: Thunder Bay Catholic District School Board, Lakehead District School Board, Catholic District School Board by Brant Haldimand Norfolk, Near North District School Board, Northwest School Board District School Board, Northeast Catholic District School Board, and Rainy River District School Board.
The IPC also said that the Ministry of Education reported the incident to its office.
“The possibility that sensitive personal information of students and staff may have been exposed is very concerning. While public institutions such as schools and school boards can outsource services to third-party providers, they cannot outsource the responsibility of protecting personal information,” the IPC statement reads.
As for the Ottawa Catholic School Board, it warned parents about the violation, noting that specific details are still being determined. He is in contact with PowerSchool to address the issue.
manitoba
About 16 Manitoba school divisions were affected by the data breach, CTVNewsWinnipeg.ca reports.
School boards include: Louis Riel, Sunrise, Portage la Prairies, River East Transcona, Division Scolaire Franco-Manitobaine, Swan Valley, Mountain View, Park West, Beautiful Plains, Brandon, Prairie Spirit, Western, Borderland, Red River Valley, Hanover and Seine River.
The school divisions noted that PowerSchool has worked with cybersecurity experts to resolve the situation.
The Maritimes
The Cape Breton-Victoria Regional Education Center in Nova Scotia was also included in the data breach.
The federal government is also conducting its own investigation.
The Prince Edward Island government also says the personal data of past and present students, teachers, parents, guardians and administrators may have been compromised and is working with PowerSchool to better understand the impact.
With files from Alex Arsenych of CTVNewsToronto.ca, Garrett Barry of CTV National News, Michael Franklin and Timm Bruch of CTVNewsCalgary.ca.
