There seems to be no end to how far the PowerSchool Breach has spread. This time it is Canadian schools.
The PowerSchool cyberattack has exposed decades of student data across numerous Canadian school boards.
The breach, impacting systems used for powerschool enrollment and accessed by powerschool teachers, has affected millions of students and staff.
The scale of the data exposure is significant, with some boards revealing compromised data dating back to the 1960s. The affected school boards utilize PowerSchool, a widely used K-12 student information system, for managing student records, including sensitive information.
For example, the aacps powerschool system for special education was also affected.
Decades of Data Exposure and Affected School Boards, Enrolled Students and Powerschool Teachers Data
The PowerSchool Breach, originating from a compromised back-end support account in late December, has raised serious concerns about the security of student data.
The compromised information includes names, birthdates, addresses, phone numbers, student IDs, grades, gender, medical information, emergency contacts, and disciplinary notes. In some cases, even social insurance numbers of past and current school teachers were accessed.
The Toronto District School Board (TDSB), Canada’s largest, estimates the breach potentially affected data for 1.49 million students from September 1985 to December 2024.
“Past student info… is kept to allow for record requests after the fact,” noted TDSB spokesperson Ryan Bird.
The incident has prompted investigations and the involvement of Canada’s privacy commissioner. PowerSchool has assured affected boards that the copied information has been deleted and hasn’t appeared online.
However, the potential for misuse remains significant. Cybersecurity expert Tony Anscombe warns that even basic student information can be used for phishing scams or to create fraudulent credit requests.
He emphasizes, “Verify everything that turns up and trust nothing.”
He also highlights the risk of combining seemingly innocuous data with information from other sources to create a complete identity profile for extortion.
Mitigating Risks After the PowerSchool Cyberattack: Cybersecurity Measures and Identity Theft Protection for Families
In response to the cyberattack on PowerSchool, families and schools are urged to take proactive cybersecurity measures.
These include discussing the breach with children to identify suspicious emails, changing passwords on school accounts and associated accounts, enabling two-factor authentication, and setting up credit monitoring for children.
“Set up credit monitoring for your kids… It stops anybody actually using it until you unlock it,” advises Anscombe.
The TDSB, for example, has decided to stop collecting health card numbers and will delete existing ones.
The incident underscores the importance of monitoring personal information after a cyberattack and highlights the best practices for securing student data in educational institutions.
The risks associated with educational data breaches are substantial, emphasizing the role of cybersecurity experts in addressing school cyber threats.
How Can Student Data Be Used? The Risks Associated with Educational Data Breaches
“With basic info like a student’s name, grade, and a parental email, cybercriminals could easily craft a phishing scam to extract credit card info,” says Tony Anscombe, an expert from cybersecurity services firm ESET.
“That could look like a note urging you to click a link to pay for your third-grader’s school trip, for example. Or it might spoof a note from your school division, inviting you to sign up for credit monitoring after this very breach,” he noted.
Alternately, a student name and home address could potentially be coupled with a faked date of birth to create a credit request or apply for a piece of ID. Other details—like prescription medications and notes about learning challenges—could be joined with information from a separate incident and “together, they may well have actually have enough of the puzzle to now go and breach somebody’s identity [and] extort money from them.”
Mitigating Risks After the PowerSchool Cyberattack: Cybersecurity Measures and Identity Theft Protection for Families and Schools
Anscombe outlines several steps parents can take:
- Talk to your kids: Discuss the breach so they can watch for anything odd in school emails, like phishing attempts.
- Change passwords: Change your password on school accounts. If password recovery prompts include info that may have been compromised (e.g., your mother’s maiden name), change those, too.
- Two-factor authentication: Turn on two-factor authentication for all accounts.
- Credit monitoring: Set up credit monitoring for your kids. Anscombe says that once a free account is created, it can be used to lock the credit record. “It stops anybody actually using it until you unlock it.”
- Be skeptical: Be skeptical about email offers. Check if the offer is real by going to your board’s website or calling them to confirm, rather than immediately clicking on a link in an email. “Verify everything that turns up and trust nothing.”
- Review forms: When prompted to input personal details for school forms, consider if every field is absolutely necessary to fill in and ask the school about it.
“Understanding that our data has value and that we’re leaving our value in too many places where it could be stolen, I think, is a really good mindset,” Anscombe said.
“Cyber criminals will go and look for the lowest hanging fruit,” he said.
For schools, Anscombe suggests establishing good cybersecurity practices, staging “tabletop exercises” to run through how to respond to potential breaches, and ensuring third-party software or services have strong security procedures in place and regularly auditing those procedures.
