Privacy watchdogs in Ontario and Alberta have released findings after investigating a massive data breach involving a student information system used nationwide, concluding that multiple school boards lacked adequate breach response plans and oversight protocols.
Cyberattack on Student Data System Exposed Millions
Ontario’s privacy commissioner reported that PowerSchool, a U.S.-based software and storage provider for school systems in both Canada and the United States, was targeted in a cyberattack and ransom threat in December 2024. The breach compromised the personal data of current and former students, parents, and staff across multiple provinces.
Approximately 5.2 million Canadians were affected by the incident. Although PowerSchool reportedly paid a ransom to the attackers, the threat actors also sought payments directly from school boards, including boards in Toronto and Peel Region.
The incident highlights the critical vulnerabilities in school systems’ cyber preparedness and the challenges in safeguarding sensitive student and staff information across widely used digital platforms.
Common Weaknesses Across School Boards Identified in Provincial Investigations
Separate investigations by Ontario and Alberta revealed several recurring issues. Many school boards lacked formal breach response plans or protocols, failed to incorporate essential privacy and security provisions in their contracts with PowerSchool, and did not implement sufficient oversight of the company’s safeguards.
Boards were found to have inadequate monitoring systems and insufficient policies to ensure compliance with data protection obligations, leaving student information exposed in the event of cyber threats.
The provincial privacy commissioners issued a series of recommendations, urging boards to review contractual agreements with PowerSchool, strengthen monitoring systems, and implement comprehensive breach response policies to prevent future incidents.
Links to Previous Cyber Extortion Case Highlight Risks
The findings follow the sentencing of a 19-year-old Massachusetts man to four years in prison after pleading guilty to cyber extortion against two companies, including PowerSchool. Court documents reveal that one targeted company received a ransom demand totaling $2.85 million in bitcoin, accompanied by threats to publicly release sensitive data—including names, email addresses, phone numbers, and medical records—of millions of students and educators.
PowerSchool stated at the time of the sentencing that it remained “focused on supporting our school partners and safeguarding student, family and educator data.”
Federal Investigation and Ongoing Security Measures
In February 2025, Canada’s federal privacy watchdog initiated an investigation into the breach. Privacy commissioner Philippe Dufresne later discontinued the inquiry in July, citing satisfaction with PowerSchool’s response and commitment to enhanced security measures, such as strengthened monitoring and detection systems.
PowerSchool has committed to providing an independent security assessment and report on its information safeguards by March 2026, demonstrating ongoing efforts to protect student and staff data.
The breach underscores the need for educational institutions to maintain up-to-date security frameworks and breach response procedures when relying on third-party service providers for sensitive information.
