By: Maggie Macintosh, Local Journalism Initiative Reporter, Winnipeg Free Press
Canada’s privacy commissioner is investigating a cyberattack involving a popular education technology software vendor used by the majority of Manitoba’s 38 public school boards.
PowerSchool recently informed its local clients — many of which pay for its student information system — that an unauthorized third-party had accessed their data over the winter break.
Schools across the US — where the company’s Folsom, Calif., headquarters are located — and Canada have been affected to varying degrees. Names, contact information, birthdays, medical alerts and social insurance (Canada) and social security (US) numbers are among the compromised data.
Manitoba school divisions have informed their respective community members that PowerSchool will notify them personally if their information was accessed.
“Except for 12 individuals whose social insurance numbers were identified as stored in our (safety instrumented system), no parent/guardian, staff, or student SIN, banking, or credit information has been identified as stored in our SIS,” superintendent Christian Michalik wrote in a Jan. 30 memo to the Louis Riel School Division community.
Philippe Dufresne, Privacy Commissioner of Canada, alerted the public Tuesday that his office had received a complaint about the wider situation and he has launched a related probe under the Personal Information Protection and Electronic Documents Act.
“My immediate focus is on ensuring that the company is taking the necessary steps to address the issue and protect Canadians’ personal information, notably breach containment and measures to reduce risks to those affected, as well as actions to prevent future breaches,” Dufresne said in a statement.
The privacy commissioner noted he received a breach report from PowerSchool and has been advised that affected Canadians are being notified by the firm.
PowerSchool is offering two years of both identity protection and credit monitoring services to all students and educators whose information was accessed in the cyberattack.
Per PowerSchool’s website, management was alerted about a leak on Dec. 28. It was determined that a hacker got access to information via one of its customer-support portals.
While noting data breaches have surged over the last decade, Dufresne urged organizations across the country to prioritize information security and pay close attention to their internal processes — especially when children’s data is involved.
The Pembina Trails School Division was subject to an earlier cyberattack that caused widespread disruption in classrooms across south Winnipeg after unusual activity was detected on Dec. 2.
The incident temporarily shut down school phones and interrupted employee payment schedules.
Employees were informed on Feb. 7 that some division files were found on the dark web, or what administration described as “part of the web that cannot be easily accessed by using traditional web browsers.”
Pembina Trails current and former staff and students were offered free credit monitoring for 36 months.
Administration has not shared whether it paid off a hacker to limit leaks, but one local division informed its community members that PowerSchool paid a ransom fee to protect its clients in connection to the Dec. 28 incident.
The Manitoba Ombudsman has been notified about both the PowerSchool and Pembina Trails incidents.
