Privacy commissioner probing massive breach of student information

The federal privacy watchdog has initiated an investigation into a cybersecurity breach at a company responsible for storing the personal information of K-12 students across Canada. Privacy commissioner Philippe Dufresne announced on Tuesday that the investigation was prompted by a report from PowerSchool, the U.S.-based provider of the affected software, as well as a complaint regarding the breach.

Last month, PowerSchool informed school boards in various provinces and territories in Canada, including Newfoundland and Labrador, Nova Scotia, Ontario, Alberta, Manitoba, Prince Edward Island, and the Northwest Territories, that a data breach in late December had resulted in the exposure of students’ personal information. The compromised data includes addresses, medical details, grades, disciplinary notes, and in some instances, the social insurance numbers of educators and staff members.

The Toronto District School Board, the largest school board in the country, disclosed in January that the personal information of over 1.49 million students, such as addresses, health card numbers, emergency contacts, and medical information, may have been compromised in the breach.

Dufresne emphasized that his immediate priority is to ensure that PowerSchool is implementing measures to minimize the risk to those affected by the breach and to prevent similar incidents from occurring in the future. The privacy commissioner has engaged in discussions with PowerSchool representatives and is actively involved in overseeing the organization’s response to the breach.

PowerSchool provides cloud-based software to numerous Canadian K-12 school boards for managing student information and communications. In response to the data breach, the company is offering affected individuals two years of protection against identity theft and credit monitoring.

Under the Personal Information Protection and Electronic Documents Act, private organizations are obligated to notify the privacy commissioner of any breach involving personal information that could harm individuals impacted by the breach. They are also required to inform the affected individuals. An investigation by the privacy commissioner is initiated upon receipt of a formal complaint.

Names, phone numbers, social insurance numbers, and other sensitive personal information were exposed in the breach, prompting school boards across the country to assess the extent of the breach and provide resources to affected individuals. Provinces like Alberta have set up dedicated websites to address inquiries about the breach and facilitate access to the credit monitoring services offered by PowerSchool.

The breach impacted a significant number of individuals in various regions, with reports of breached data in Alberta, the Northwest Territories, Newfoundland and Labrador, Prince Edward Island, Ontario, and Nova Scotia. Authorities are diligently working to determine the full scope of the breach and provide support to those affected by the incident.