SASKATCHEWAN — PowerSchool, a U.S.-based provider of student information software, recently notified school boards in Ontario, Alberta, Saskatchewan, Manitoba, and the Maritime provinces about a potential cybersecurity incident. The company became aware of unauthorized access to certain Student Information System (SIS) data on December 28 and informed the school boards about this issue two weeks ago.
“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team,” PowerSchool states on its website. “PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.” PowerSchool has engaged Experian, a trusted credit reporting agency, to provide these services. Starting in the next few weeks, PowerSchool will coordinate with Experian to provide notice on behalf of schools to students (or their parents/guardians if the student is under 18) and educators whose information was exfiltrated from their PowerSchool SIS.
PowerSchool provides cloud-based software to K-12 schools. This security incident affected some of the districts using the PowerSchool Student Information System product. There is no evidence that any other PowerSchool products were affected by this incident. “We are not sharing specifics around the number of districts and schools we believe were involved. We are in communication with those customers directly and are supporting them through [the] next steps.”
According to publicly shared information, the data breach involved unauthorized access to certain PowerSchool Student Information System (SIS) data through PowerServe, one of its community-focused customer portals. A spokesperson for PowerSchool added it was working “with urgency” to identify the specific individuals whose data may have been leaked and said that “the data impacted varies in volume and sensitivity by school district.” According to the PowerSchool website, the software is used by 76 percent of students in Canada.
Cyberattacks can cause significant harm to schools. They can disrupt daily operations by incapacitating integrated, division-wide networks, and attacks such as this may jeopardize and leave vulnerable, the extensive data that schools collect from students, families, and staff. Experts emphasize that more attention and action are needed to reinforce the defences of school boards.
“Cyberattacks are very prevalent. Cyberattackers are extremely sophisticated … but there’s lots that schools, school boards and other public institutions can do to help reduce the risks and the impacts,” said Patricia Kosseim, Ontario privacy commissioner, in an interview with CBC. Schools, like other public institutions, are attractive targets because they hold large amounts of personal information.
At the end of the day, cyberattacks are motivated by the pursuit of money, says Ivo Wiens, the Field Chief Technology Officer of cybersecurity at CDW Canada, an internet technology services firm. This could involve forcing a school board to pay a ransom to restore its systems or delete stolen student information. Alternatively, attackers might use the stolen data for fraudulent activities. Wiens refers to a student’s name, home address, and phone number as “fresh identity” information, which, combined with a false social insurance number, can be used to apply for loans or credit cards. “It’s a very calculated game by these attackers, and they know there is, relatively speaking, cash to be made,” he explains. “Cybersecurity used to be a topic for the boardroom; now it’s a conversation at the kitchen table.”
The tracking of cyber incidents in Canadian schools is unclear. Only five jurisdictions require public K-12 schools to report cyber incidents that result in privacy breaches: British Columbia, Manitoba, Quebec, Northwest Territories, and Newfoundland and Labrador.
Several school boards in Alberta, including the Calgary Board of Education and Rocky View Schools, Red Deer Public and Catholic, Wolf Creek Public Schools, Battle River School Division, East Central Catholic Schools, Edmonton’s Catholic, St. Albert’s Catholic, Greater St. Albert Catholic Schools and Elk Island Public Schools are also among the school boards affected.
In Ontario, 19 school boards including Toronto-area school boards, such as Peel, York and Toronto itself, Durham School District, Thunder Bay Catholic District School Board, Lakehead District School Board, Brant Haldimand Norfolk Catholic District School Board, Near North District School Board, Northwest Catholic District School Board, Northeastern Catholic District School Board and Rainy River District School Board, are confirmed to be affected by the cybersecurity incident.
Approximately 16 Manitoba school divisions were reportedly affected by the data breach including Louis Riel, Sunrise, Portage la Prairies, River East Transcona, Division Scolaire Franco-Manitobaine, Swan Valley, Mountain View, Park West, Beautiful Plains, Brandon, Prairie Spirit, Western, Borderland, Red River Valley, Hanover and Seine River.
The Cape Breton-Victoria Regional Centre for Education in Nova Scotia and the Prince Edward Island government also confirmed that personal data of past and present students, teachers, parents, guardians and administrators may have been compromised.
Only one Saskatchewan school division has been publicly identified as having its information included in the breach. The Prairie Spirit School Division used PowerSchool as a third-party provider for managing school division data from 2009 to 2022. Jesse Green, Communications Officer with Horizon School Division, explained Saskatchewan’s student information is stored in MySchoolSask, a student information system adopted by all Saskatchewan schools. This explains why Saskatchewan schools were, for the most part, unaffected by the breach.
In 2017, the Ministry of Education began planning for the implementation of a provincial student information system, and in April 2018 the tender was awarded and school divisions began planning for the transition to MySchoolSask (MSS). MSS is designed to store student data including demographic information, schedules, attendance, grades, and more. As a central provincial system, it captures student data even when students change schools within Saskatchewan. Approximately half of the province’s school divisions implemented the new program in 2019, with the rest following in subsequent years. The goal was for all Saskatchewan schools to implement the system by 2021.
“The Office of the Privacy Commissioner of Canada is in contact with PowerSchool to obtain more information about this breach and to determine next steps,” a spokesperson for Philippe Dufresne’s office wrote in an email to Global News.
Protecting students’ privacy is a significant responsibility of school boards and regulators. The data-driven nature of EdTech systems complicates efforts to safeguard the privacy of young people, particularly given that the business model of EdTech providers often relies on selling additional services to schools. Additionally, data privacy laws globally are largely based on frameworks established over fifty years ago, long before the advent of the World Wide Web.
Feature image by iStock.com/WhataWin
