Alberta's Information and Privacy Commissioner has raised serious concerns following the release of an investigation into a massive data breach affecting students and staff across the province and throughout Canada. The breach involved PowerSchool, a student information management system used by numerous school divisions.
How the PowerSchool Breach Unfolded
In late December 2024, PowerSchool detected unauthorized access to its systems through its PowerSource support portal. The intrusion occurred due to a compromised credential, which allowed an attacker to infiltrate systems containing highly sensitive information about students and educational staff.
Alberta Information and Privacy Commissioner Diane McLeod, whose office collaborated with Ontario's privacy watchdog on the investigation, emphasized the significant risks posed by this security failure. "It is essential to remember that privacy does not happen on its own," McLeod stated in a Tuesday release. "It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected."
What Student Information Was Exposed?
On January 7, PowerSchool formally notified affected Alberta school divisions, including Greater St. Albert Catholic Schools and Edmonton Catholic Schools. The compromised data included:
- Student and staff names
- Dates of birth
- Alberta student numbers
- Home addresses
- Basic medical alert information
School division statements confirmed that no financial information or social insurance numbers were accessed during the breach. However, the exposed personal information still creates substantial privacy risks for those affected.
National Impact and Security Failures
The breach had far-reaching consequences across Canada, affecting tens of thousands of students and staff in multiple provinces and territories. PowerSchool's widespread use meant educational bodies in Ontario, British Columbia, Saskatchewan, Manitoba, Nova Scotia, New Brunswick, and Newfoundland and Labrador all experienced data compromises.
In Ontario, affected divisions included the Toronto District School Board, Peel District, Durham District, York Region, and Ottawa Catholic schools. Manitoba reported at least 16 impacted school divisions, while Nova Scotia's Cape Breton-Victoria Regional Centre for Education also confirmed breaches. Some incidents involved extortion or ransom attempts following the data exposure.
The investigation revealed critical security shortcomings. Some school divisions had contracts with PowerSchool that lacked essential privacy and security requirements. Additionally, divisions failed to adequately monitor the software's safeguards, permitted extended remote access to student data, and lacked comprehensive breach response plans.
Commissioner McLeod outlined a clear path forward: "I believe the recommendations in our reports, including those to government, set out a path that, if followed, will ensure that appropriate actions are taken. There is no way around this. It simply must be done."
