Canada’s Privacy Commissioner is contacting PowerSchool after its software — used by schools across North America to store student data — became the subject of a high-profile controversy. data breach.
“The Office of the Privacy Commissioner of Canada is in contact with Power School to obtain more information on this violation and determine next steps,” wrote a spokesperson for Philippe Dufresne’s office in an email to Global News.
The statement from Dufresne’s office comes after being reported by The Canadian Press several Canadian school boards are among those affected by the data breach.
Officials in Ontario, Alberta, Newfoundland and Labrador and Nova Scotia say they are working with PowerSchool to determine the extent of the breach.
The company behind the software says on its website that it has determined that certain “personally identifiable information,” such as social security numbers and medical information, “was involved” in the breach. PowerSchool says it is working to identify data that may have been leaked in the incident, which it says it became aware of on December 28.
How might children be affected?
John Zabiuk, chair of the Northern Alberta Institute of Technology (NAIT Polytechnic) cybersecurity program, said if this information was leaked about children, “we want to make sure there are no predators or anyone looking to harm children. use of this (information). »
Receive national news daily
Get the day’s top news, politics, business and current affairs headlines delivered to your inbox once a day.
Zabiuk warned that if the information leaked involved social security numbers or more basic information like a name, phone number and date of birth, it could trigger the process of the information being used by bad actors. actors.
“As long as you have enough information that corroborates that you are who you say you are, you can assume an identity,” he said.
He added that if a SIN was accessed, a person could use it to create an account in that student’s name and “effectively take over” a person’s financial life, and could lead to a student later learning that he has bad credit.
A PowerSchool spokesperson added that it was working “urgently” to identify specific individuals whose data may have been leaked and said “the data affected varies in volume and sensitivity depending on the school district.”
Zabiuk said that while it is not yet clear to what extent the number of students, staff or parents are affected, the breach provides an opportunity for people to talk to their children about online safety .
“Let them know the kinds of things that might happen that they should be aware of, maybe all of a sudden strange people contact them or they get emails or just things seem weird,” he said.
Zabiuk added that going forward, PowerSchool needs to review its architecture to avoid future data breaches, and said that having one account have access to multinational data is an issue.
According to information provided by PowerSchool, the data breach involved unauthorized access to certain PowerSchool Student Information System (SIS) data through PowerServe, one of its community-focused customer portals.
The company says it communicated with its customers on January 7, adding that those who do not use PowerSchool SIS were not affected.
Some school boards indicated what information was accessed, such as Saint-Albert Public SchoolIn Alberta, names, dates of birth, phone numbers and addresses of accounts dating back to 2012 were exported, while others, like the Toronto District School Board, said they were still working to determine which data had been consulted.
The Ontario Privacy Commissioner’s office told Global News it has received privacy breach reports from 19 school boards related to the incident and is investigating the matter. case, but was unable to provide further information about what data might have been accessed, calling it “very concerning.” sensitive data may have been exposed.
Edmonton Catholic Schools posted online a letter they received from PowerSchool saying they were affected, with the Cape Breton-Victoria Regional Education Center in Nova Scotia also saying they were part of the violation, without providing further details.
The company told Global News it expects the majority of customers involved did not have social security numbers or medical information “exfiltrated,” although it did not specify whether Canadian social insurance numbers had been accessed.
PowerSchool also says it has no evidence that credit card or banking information was involved.
—with files from The Canadian Press
© 2025 Global News, a division of Corus Entertainment Inc.