LATEST STORIES:

School boards caught unprepared in mass student data breach: provincial watchdogs

18-year-old suspect facing murder charge after fatal stabbing in Ottawa

Niagara broker calls current real estate market ‘exciting’

Ophthalmologists urge provinces not to allow optometrists to perform minor surgeries

Man charged with human trafficking in Niagara Region dating back to 2008

Cash stolen in armed robbery at Ohsweken business

School boards caught unprepared in mass student data breach: provincial watchdogs

  • Updated:
A man uses a computer keyboard in Toronto in this photo illustration (Graeme Roy/The Canadian Press).
Share this story...

Privacy watchdogs in Ontario and Alberta issued their findings Tuesday after investigating a mass data breach of a student information system used across Canada, concluding that school boards lacked adequate breach response plans, among other issues.

Ontario’s privacy commissioner says PowerSchool, a software and storage company for school systems in the U.S. and Canada, was a victim of a cyberattack and ransom threat in December 2024 that compromised the data of current and former students, parents and staff.

Ontario’s watchdog says about 5.2 million Canadians were affected by the cyberattack, and while PowerSchool paid a ransom, the threat actor also demanded ransom payments from school boards, including those in Toronto and Peel Region.

Though Ontario and Alberta launched separate investigations, both had common findings, including that some or all school boards lacked adequate breach response plans or protocols, failed to include certain privacy and security provisions in their contracts with PowerSchool and lacked policies to oversee PowerSchool’s safeguards.

The provincial privacy commissioners made recommendations in their reports, including that the boards review their agreements with PowerSchool, implement monitoring systems and ensure adequate breach policies are in place.

The findings come after a 19-year-old Massachusetts man was sentenced to four years in prison last month after pleading guilty to the cyber extortion of two companies, including PowerSchool.

Court documents say a company the man targeted received a ransom demand for $2.85 million worth of bitcoin with a threat to leak the names, email addresses, phone numbers, medical information and other data of millions of students and teachers.

PowerSchool said at the time of the sentencing that it remained “focused on supporting our school partners and safeguarding student, family and educator data.”

In February, Canada’s federal privacy watchdog launched an investigation into the data breach.

Privacy commissioner Philippe Dufresne discontinued that investigation in July, citing his office’s satisfaction with the company’s response and commitment to added security measures such as strengthened monitoring and detection tools.

PowerSchool has said it will provide the commissioner with an independent security assessment and report of its information safeguards by March 2026.

This report by The Canadian Press was first published Nov. 18, 2025.

Rianna Lim, The Canadian Press

Related Stories