Cyberattack affecting school boards across Canada may involve decades of data. What can families do?

Over the past two weeks, school boards across Canada have been grappling with the aftermath of a major data breach connected to PowerSchool, an outside provider that K-12 schools use to manage student information. The breach, which occurred in late December, has left officials scrambling to determine the extent of the incident and the potential impact on student data dating back decades.

School divisions in Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nova Scotia, Northwest Territories, and Prince Edward Island all use PowerSchool to manage student personal and academic information. The breach, which involved a compromised back-end account used for technical support, has raised concerns about the security of sensitive student data.

While investigations into the cyberattack continue, some boards have revealed the specific data that may have been accessed. This includes names, birthdates, home addresses, phone numbers, student ID numbers, grades, gender, medical information, emergency contacts, and disciplinary notes. The severity of the breach has prompted the attention of Canada’s privacy commissioner.

At the Toronto District School Board, it is estimated that data from approximately 1.49 million students could have been impacted, dating back to September 1985. The board has been working to notify current and former families about the breach and has posted updates on their online resources hub. Despite the potential breadth of the breach, PowerSchool has assured the board that the copied information has been deleted and has not appeared online.

Cybersecurity expert Tony Anscombe has warned that cybercriminals could use the stolen student data to craft phishing scams, extract credit card information, or commit identity theft. He advises parents to talk to their children about the breach, change passwords on school accounts, enable two-factor authentication, set up credit monitoring, and be cautious of email offers that may be scams.

In response to the breach, schools may need to revisit the types of student information they collect and store. The Toronto District School Board has decided to stop collecting health card numbers and will delete any that were previously collected. Anscombe suggests that school boards establish good cybersecurity practices, conduct tabletop exercises to prepare for potential breaches, and ensure that third-party software or services have strong security procedures in place.

While cyberattacks on schools are becoming increasingly common, Anscombe believes that with the right processes and cybersecurity measures in place, they can be avoided. By taking proactive steps to protect student data and being vigilant about potential threats, schools can minimize the risk of future breaches and safeguard sensitive information.