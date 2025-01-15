Canada’s privacy commissioner is communicating with PowerSchool after its software — used by schools across North America to store student data — was the subject of a high-profile data breach.

“The Office of the Privacy Commissioner of Canada is in contact with PowerSchool to obtain more information about this breach and to determine next steps,” a spokesperson for Philippe Dufresne’s office wrote in an email to Global News.

The statement from Dufresne’s office comes after it was reported by The Canadian Press several Canadian school boards are among those affected by the data breach.

Officials in Ontario, Alberta, Newfoundland and Labrador, and Nova Scotia say they’re working with PowerSchool to determine the extent of the breach.

The company behind the software says on its website it had determined that some “personally identifiable information,” such as social security numbers and medical information, “was involved” in the breach. PowerSchool says it is working to identify whose data may have been leaked during the incident, which it says it learned of on Dec. 28.

How could children be affected?

John Zabiuk, the chair of the cybersecurity program at the Northern Alberta Institute of Technology (NAIT Polytechnic), said if that information was leaked about children, “we want to make sure that there’s no predators or anybody looking to cause harm to children is making use of that (information).”

Zabiuk cautioned whether the leaked information involves social insurance numbers or more basic information like a name, phone number and date of birth, it can start the process towards the information being used by bad actors.

“As long as you have enough information that corroborates that you are who you say you are, you can assume an identity,” he said.

He added if a SIN was accessed, a person could use it to create an account in the name of that student and “effectively take over” a person’s financial life, and could result in a student later learning they have bad credit.

A spokesperson for PowerSchool added it was working “with urgency” to identify the specific individuals whose data may have been leaked and said that “the data impacted varies in volume and sensitivity by school district.”

Zabiuk said while it’s not yet known the extent to how many students, staff or parents are impacted, the breach gives the opportunity for people to talk to their kids about safety online.

“Let them know the types of things that could happen and that they should be aware of in terms of maybe all of a sudden strange people are contacting them or they’re getting emails or just things seem weird,” he said.

Zabiuk added moving forward, PowerSchool needs to look at its architecture to prevent future data breaches, and said the fact one account gained access to multinational data is a problem.

What happened?

According to information provided by PowerSchool, the data breach involved unauthorized access to certain PowerSchool Student Information System (SIS) data through PowerServe, one of its community-focused customer portals.

The company says it communicated with its customers on Jan. 7, adding those that don’t use PowerSchool SIS were not impacted.

Some school boards have said what information was accessed, like St. Albert Public Schools in Alberta which noted names, birth dates, phone numbers and addresses from accounts dating back to 2012 were exported, while others like the Toronto District School Board said it was still working to determine what data was accessed.

The Ontario privacy commissioner’s office told Global News that it had received privacy breach reports from 19 school boards related to the incident and was investigating the matter, but could not provide further information on what data may have been accessed, calling it “very concerning” that sensitive data may have been exposed.

Edmonton Catholic Schools posted a letter online that it received from PowerSchool indicating it had been impacted, with Cape Breton-Victoria Regional Centre for Education in Nova Scotia also saying it had been part of the breach, though neither provided further details.

The company told Global News it expects the majority of involved customers did not have social security numbers or medical information “exfiltrated,” though it did not specify information if Canadian social insurance numbers were accessed.

PowerSchool also says it has no evidence credit card or banking information was involved.

—with files from The Canadian Press