The PowerSchool data breach, which occurred in late December 2023, has significantly impacted the education sector across Canada. The breach compromised the company’s software, used by schools to store sensitive student and staff data, affecting school boards across seven provinces and one territory. While the full extent of the breach continues to be investigated, initial reports indicate a widespread impact, raising concerns about data privacy and security within the education system.
The provinces and territory affected by the breach include Alberta, Saskatchewan, Manitoba, Ontario, Northwest Territories, Nova Scotia, Prince Edward Island, and Newfoundland and Labrador. Initial reports indicate that over 80 school boards across these regions have been impacted. The two largest school boards in Ontario, the Toronto District School Board and the Peel District School Board, confirmed that over 2.4 million students were affected. The breach’s scope extends beyond current students, with some school boards reporting that data dating back several decades was potentially accessed.
The remaining provinces and territories – Quebec, New Brunswick, Nunavut, British Columbia, and Yukon – have reported that their school boards were not affected. These jurisdictions either do not utilize PowerSchool software or employed configurations that prevented the specific vulnerability exploited in the breach. New Brunswick, for instance, uses separate PowerSchool instances for each district, which prevented remote access to their servers for troubleshooting, the vulnerability that led to the breach.
The number of affected individuals varies considerably across different regions and school boards. While some boards have released specific figures, others are still in the process of assessing the extent of the breach. For instance, over 2.46 million students were affected in the Toronto and Peel school boards alone, while Nova Scotia confirmed 35,000 current and former students were impacted. The number of impacted staff is less well-known, although Peel District School Board reported 18,760 affected staff members, and the Cape Breton-Victoria Regional Centre for Education in Nova Scotia reported 3,200 affected employees. The full extent of the impact, including the total number of affected individuals and the types of data accessed, is still under investigation.
As investigations continue, the number of affected schools and individuals may change. Some schools initially reported being affected but later clarified, after further investigation by PowerSchool or internal reviews, that no data had been compromised. Conversely, other schools initially believed to be unaffected later confirmed data breaches and determined the timeframe of the affected data. These evolving numbers highlight the complex and ongoing nature of the investigation, making it difficult to ascertain the full impact at this stage. Furthermore, the diversity in the timeframes of the affected data, ranging from recent records to data dating back decades, as in the case of Peel District School Board (records dating back to 1965), adds another layer of complexity to the situation.
The data breach has prompted responses from various government agencies and the company itself. The federal privacy commissioner expressed concern about the breach and is in contact with PowerSchool to determine the next steps. Ontario’s privacy commissioner has launched an investigation, while Alberta’s privacy commissioner is reviewing the reported breaches. PowerSchool is cooperating with investigations and has engaged credit monitoring services, including TransUnion, to offer two years of complimentary credit monitoring for affected adults, regardless of whether their social insurance or social security numbers were compromised. Additionally, PowerSchool is offering identity protection services for students and educators. The company is also in the process of notifying relevant regulators in both the United States and Canada. A class-action lawsuit has been filed against PowerSchool in Alberta, although it is still pending certification. The ongoing investigations and legal proceedings underscore the severity of the data breach and the potential long-term consequences for affected individuals and institutions.
