Privacy commissioner probing massive breach of student information

The federal privacy watchdog has launched an investigation into a cybersecurity breach at a company that stores the personal information of K-12 students across Canada.

Privacy commissioner Philippe Dufresne said in a statement Tuesday that the probe was launched after his office received a report from U.S.-based PowerSchool, which provides the affected software, and a complaint about the breach.

Last month, PowerSchool told school boards in Newfoundland and Labrador, Nova Scotia, Ontario, Alberta, Manitoba, Prince Edward Island, the Northwest Territories and elsewhere across North America that a data breach in late December had exposed students' personal information.   

The stolen information includes addresses, medical details, grades and disciplinary notes. In some cases, the social insurance numbers of educators and staff were also taken. 

The Toronto District School Board, the country's largest school board, said in January that the addresses, health card numbers, emergency contacts and some medical information of more than 1.49 million students may have been stolen. 

Dufresne says his "immediate focus" is to ensure that PowerSchool is taking measures to reduce the risk to those affected by the breach and to prevent this from happening again.

WATCH | Analyst digs into PowerSchool breach:

Tech analyst Carmi Levy on the PowerSchool cyber breach and its targeting of sensitive data

1 month ago

Duration 7:50

 

"My office has had discussions with PowerSchool representatives and remains actively engaged in this matter to ensure that the organization is taking appropriate steps to respond to the breach," he said in the statement. 

PowerSchool provides cloud-based software to dozens of Canadian K-12 school boards to manage student information and communications. In the wake of the data breach, the company is offering two years of protection against identity theft and credit monitoring to affected individuals.  

Private organizations subject to the Personal Information Protection and Electronic Documents Act are required to alert the privacy commissioner of any breach involving personal information that could harm the affected individuals. They must also inform the affected individuals. 

An investigation by the privacy commissioner is triggered when a formal complaint is made. Dufresne had previously stated in January, when news of the breach was initially spreading across school boards, that the incident was on his radar, he was in contact with PowerSchool and that he was determining next steps. 

Names, phone numbers, SINs

PowerSchool is used across the country, and school boards are still working to determine and communicate the extent of the breach. Some provinces have created dedicated websites to answer questions about the breach and funnel Canadians to the credit monitoring services offered by PowerSchool. 

The office of Alberta's privacy commissioner said Wednesday that it had received 31 breach notices from schools across the province. 

One school reported its breach included names, phone numbers, genders, allergies, personal health card numbers, the phone numbers of students' doctors and guardian information, the statement said. 

"We are reviewing the breach notices as they come in to determine the total number of Albertans affected, but it is clear that it is a significant number, including many students," Diane McLeod, information and privacy commissioner for Alberta, said in a release. 

The breach affected just over 35,000 people in the Northwest Territories, according to the territorial government. 

In Newfoundland and Labrador, data for more than 14,400 teachers was exposed, with the oldest records dating back to 2010. More than 700 of them had their social insurance numbers included in the breach. More than 271,000 students also had their data accessed, with the oldest records dating back to high school students in 1995.

Roughly 70,000 student records in Prince Edward Island were accessed, and Ontario's privacy commissioner is investigating the 20 school boards affected there. 

More than 35,000 current and former students, 3,500 parents and guardians and 3,200 current and former staff members of Cape Breton-Victoria Regional Centre for Education had their data accessed, according to the Nova Scotia government.