On Tuesday, Canada’s Privacy Commissioner announced the discontinuation of an investigation into a significant data breach involving PowerSchool, an education software firm. The investigation followed a December 2024 cyberattack that compromised the personal information of millions of students and staff across Canada. The breach encompassed sensitive data, including medical records and social security numbers. The Office of the Privacy Commissioner (OPC), led by Philippe Dufresne, revealed that PowerSchool had undertaken measures to mitigate the effects of the breach. These actions included notifying affected individuals, offering credit protection, and committing to strengthen their cybersecurity protocols.
The OPC noted that PowerSchool has implemented enhanced monitoring and detection tools to fortify its security measures. Dufresne stated that these proactive steps taken by PowerSchool prompted the decision to end the investigation, although the OPC will continue to monitor the company to ensure compliance with its commitments. The Privacy Commissioner emphasized the importance of stringent data protection, particularly regarding children’s information, highlighting federal laws that necessitate appropriate security measures corresponding to the sensitivity of personal data.
In terms of the breach’s impact, Global News reported that at least 87 Canadian school boards were affected, with over 2.77 million current and former students having their data compromised. Additionally, approximately 36,000 staff members were implicated, with instances of data from around 3,500 parents also being accessed. Following the breach, some school boards reported receiving ransom demands linked to the stolen information. A college student in Massachusetts was charged for cyber extortion related to this hack, with PowerSchool referenced as “Victim 1” in legal documents.
PowerSchool has until the end of July to furnish the OPC with further information concerning the breach and may need to implement additional security measures to protect its PowerSource platform. The company is also tasked with validating that it has fortified its monitoring tools capable of detecting irregular activities. By the end of 2025, PowerSchool must achieve recertification for the ISO/IEC 27001 global information security standard and furnish the OPC with a third-party security assessment report.
Moreover, any recommendations from the independent security assessment must be reviewed by PowerSchool, which must provide the OPC with an implementation plan or state reasons for non-acceptance. Dufresne believes PowerSchool’s commitments represent a “fair and reasonable” response to the complaints that spurred the initial investigation. PowerSchool is expected to maintain ongoing support for its affected clients while adhering to federal and provincial privacy laws.
In response to the OPC’s announcement, a PowerSchool spokesperson reiterated the organization’s dedication to safeguarding educational data. The spokesperson emphasized their collaboration with the OPC following the breach, stating that the company is committed to enhancing its security infrastructure and ensuring transparent and responsible communication with its education partners across Canada. The ongoing dialogue with the Privacy Commissioner reflects PowerSchool’s recognition of the gravity of the situation and its commitment to better protection protocols in the future.
