Months after a major data breach impacting Canadian public schools, Ontario and Alberta’s privacy commissioners say school boards weren’t prepared for the scale of the PowerSchool data breach and are urging changes to their agreements with the technology company.
The two provincial officials announced the findings of their investigations on Tuesday, both of which were launched after multiple school boards and educational bodies reported breaches in late December.
“The incident, which affected millions of Canadians across the country, highlights the importance for educational bodies, including school boards, to maintain high standards for protecting sensitive personal information of their students and educators, including when using service providers,” a press release reads.
Patricia Kosseim and Diane McLeod, Ontario and Alberta’s information and privacy commissioners, respectively, each released separate reports, but their offices say they co-ordinated in their investigations under a memorandum of understanding.
Each report also has key findings in common.
Both commissioners found that “some or all” of the educational bodies failed to include certain privacy and security-related provisions in their PowerSchool contract agreements that ensured they met the requirements of provincial public sector privacy laws.
“There were significant gaps in PowerSchool’s security measures which contributed to the breach of the personal information of the students, parents/guardians and staff,” McLeod noted in her report.
In addition, the school boards and bodies did not have policies and procedures to “effectively” monitor and oversee PowerSchool’s technical and security safeguards to ensure it complied with the terms of its contract, including the use of multi-factor authentication.
Kosseim and McLeod also noted that some or all of these bodies lacked “adequate” breach response plans or protocols.
Dozens of school boards in Canada were impacted by the breach that occurred in December 2024, with similar breaches seen in the U.S. and globally, after the company’s software, which is used to store student and staff data, was compromised.
According to Kosseim’s report, approximately 5.2 million Canadians were impacted.
Get breaking National news
For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.
Global News reached out to each province and territory’s education departments and each school board and district early this year to determine how many utilized the PowerSchool system and which had been impacted by the breach.
According to the various officials and public statements from school boards, data breaches were seen in eight provinces and one territory.
Quebec, New Brunswick, Nunavut, British Columbia and Yukon officials said at the time their boards were not impacted.
An American man, who officials said was a student at Assumption University in Massachusetts, was arrested earlier this year and sentenced in October to four years in prison after pleading guilty to cyber extortion in the data breach.
In her report, Kosseim said 20 school boards and the Ontario Ministry of Education reported to her that they were victims of a cyberattack against PowerSchool.
“A threat actor gained access to PowerSchool’s student information system (SIS) and customer support portal, PowerSource via compromised credentials and exfiltrated personal data held in the SIS,” the report reads.
According to the report, approximately 3.86 million Ontarians were impacted.
In Alberta, McLeod said 33 public and charter schools, school boards and a Francophone regional authority reported the PowerSchool cybersecurity incident to her office.
McLeod’s report said more than 700,000 individuals were affected by the breach in the province.
The commissioners issued a number of recommendations, including urging educational bodies to review and, as needed, renegotiate their agreements with PowerSchool.
The purpose of these potential renegotiations, they said, is to include recommended privacy and security-related provisions to ensure the boards meet public sector privacy law.
They also want school boards and bodies to limit remote access to their student information systems to an “as-needed” basis, with Kosseim stating that her investigation found there was an “always on” feature for remote maintenance used by educational bodies.
“This option allowed the threat actor to gain access into the institutions’ SIS (Student Information System) environments,” Kosseim’s report says.
The recommendations also say the school boards should ensure they have adequate policies and procedures to respond to future breaches.
In addition, the Ontario and Alberta governments are urged to support the education sector and strengthen the bargaining power of educational bodies and school boards when negotiating agreements with education tech service providers to ensure privacy law requirements are met.
“It is essential to remember that privacy does not happen on its own. It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected. There is no way around this. It simply must be done,” McLeod said in a statement.
In response to the report, Alberta Education Minister Demetrios Nicolaides said the government will work closer with school boards.
“They had recommended that we work a little bit more closely with school divisions and lend them some of our expertise, so we’ll definitely be doing that,” Nicolaides said. “Those individual agreements are signed with the school boards directly, but if we have some insights and some expertise we can lend, we’ll be happy to.”
—with files from The Associated Press
© 2025 Global News, a division of Corus Entertainment Inc.
School boards must make privacy changes after PowerSchool breach: watchdogs
