Canada’s Privacy Commissioner launched an investigation into the PowerSchool security breach affecting millions of Canadian students and teachers.
The federal investigation focuses on PowerSchool, a popular learning management software provider for K-12 schools, includes the Calgary Board of Education (CBE).
The software company shared in a written statement on Feb. 7 that it learned of a cybersecurity attack on its system on Dec. 28, 2024, in which the personal information of an estimated 62.4 million students and 9.5 million teachers across the United States and Canada was stolen.
Information relating to current and former students and teachers’ names, contact information, date of birth, medical alert information, and social insurance numbers were involved in the breach.
“There are many, many, many attacks that can be done now that they have this information,” says Khosro Salmani, an associate professor in the Department of Mathematics and Computing at Mount Royal University, who specializes in data privacy. “For example, in the future, they can start using identity theft and fraud, targeted phishing, and social engineering attacks are going to be much easier when they know about the victims or the people that I think they want to attack.”
In response to the attack, PowerSchool reportedly paid a ransom to prevent the stolen data from being released, according to Bleeping Computer, who first reported on the data breach.
Some experts remain skeptical that the hacked information has been deleted, claiming it’s easy to fake the video proof provided to PowerSchool.
PowerSchool notified affected schools, educators, and students in early January and offered credit monitoring and identification services for two years to everyone concerned.
Calgary schools affected
“When we were informed of the cybersecurity incident involving PowerSchool on Jan. 7, we immediately began an internal investigation on how the breach occurred and what information may have been taken,” CBE said in a statement to the Calgary Journal.
While students and educators in this school board were affected, the Calgary Board of Education says they have yet to receive confirmation from PowerSchool on how many students and teachers were affected by the breach, although Bleeping Computer estimates the number to be more than 600, 000.
“We shouldn’t forget that these are students that we are talking about, they are just teenagers and kids, and they have their whole lifetime ahead of them,” says Salmani. “All of this information is out there now and for the rest of their lives, somebody might use it actually in order to take advantage of this. So these are the kinds of things that we should be worried about.”
While it is important for individuals to take precautions with their data — including using different and unique passwords for every application — Salmani stressed the importance of security measures like two-factor authentication for corporations which can prevent incidents like this.
“I don’t know how many times this should happen until we learn our lesson,” says Salmani.“A couple of years ago, there was the same kind of scenario with 23andMe which was a company that was working with many records, ancestry, DNA testing and this kind of stuff, right? They had the same kind of problem.”
“Two-factor authentication has been around for many, many years now. And then, the only thing that we have to do – we have to just employ it in our security systems.”
The investigation begins
The federal privacy comissioner’s investigation was launched under the Personal Information Protection and Electronic Documents Act.
“My office has had discussions with PowerSchool representatives and remains actively engaged in this matter to ensure that the organization is taking appropriate steps to respond to the breach,” said Privacy Commissioner Philippe Dufresne in a statement announcing the investigation.
“My immediate focus is on ensuring that the company is taking the necessary steps to address the issue and protect Canadians’ personal information, notably breach containment and measures to reduce risks to those affected, as well as actions to prevent future breaches.”
The federal privacy watchdog will also work with provincial privacy officials such as Alberta’s Office of the Information and Privacy Commissioner, which says it has received more than 30 notices of security breaches in Alberta schools.
An estimated 80 school boards in Canada have been affected by this data breach, with more than 30 are in Alberta. It’s unclear the extent of information that has been compromised in each school board.