Overview
- Co-ordinated reports released Tuesday found many school boards lacked breach plans, key privacy clauses in PowerSchool contracts, and effective oversight of the vendor’s safeguards.
- About 5.2 million people in Canada were affected, including roughly 3.86 million in Ontario and more than 700,000 in Alberta, with dozens of boards and education bodies reporting incidents.
- Investigators say attackers used compromised credentials to access the student information system and PowerSource portal, with an always-on remote maintenance setting enabling entry.
- Recommendations include renegotiating contracts, implementing ongoing monitoring and multi-factor authentication, limiting remote access to as-needed, and strengthening incident response policies, with calls for provincial support to boost bargaining power.
- PowerSchool paid a ransom; the federal privacy probe ended in July after remediation commitments, an independent security assessment is due by March 2026, and a 19-year-old in Massachusetts was sentenced in October to four years for related cyber extortion.