In December 2024, PowerSchool—a widely used student information system (SIS) provider—suffered a major **data breach** due to compromised credentials, allowing a threat actor to access its **student information system (SIS) and customer support portal (PowerSource)**. The breach exposed **personal data of ~5.2 million Canadians**, including students, parents/guardians, and staff across **eight provinces and one territory**, with **3.86 million in Ontario and 700,000+ in Alberta** affected. The attacker exfiltrated sensitive records, exploiting an **‘always-on’ remote maintenance feature** left unsecured by school boards. Investigations by Ontario and Alberta’s privacy commissioners revealed **critical gaps in PowerSchool’s security measures**, including **lack of multi-factor authentication (MFA)**, inadequate contract provisions for privacy compliance, and **poor breach response protocols** among educational bodies. An **American college student** was later arrested and sentenced to **four years in prison** for cyber extortion linked to the attack. The incident underscored systemic failures in safeguarding student data, prompting calls for stricter vendor agreements and enhanced oversight.
Source: https://globalnews.ca/news/11531404/powerschool-data-breach-provincial-investigations/
PowerSchool cybersecurity rating report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "POW1393613112025",
"linkid": "powerschool-group-llc",
"type": "Breach",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '5.2 million (Canada-wide), 3.86 '
'million (Ontario), 700,000+ '
'(Alberta)',
'industry': 'EdTech',
'location': 'Global (Headquartered in Folsom, '
'California, USA)',
'name': 'PowerSchool',
'type': 'Education Technology Provider'},
{'customers_affected': '3.86 million',
'industry': 'Education',
'location': 'Ontario, Canada',
'name': 'Ontario Ministry of Education',
'type': 'Government Ministry'},
{'customers_affected': 'Included in 3.86 million',
'industry': 'Education',
'location': 'Ontario, Canada',
'name': '20 Ontario School Boards',
'type': 'Public School Boards'},
{'customers_affected': '700,000+',
'industry': 'Education',
'location': 'Alberta, Canada',
'name': '33 Alberta Public and Charter Schools, School '
'Boards, and Francophone Regional Authority',
'type': ['Public Schools',
'Charter Schools',
'School Boards',
'Regional Authority']},
{'customers_affected': '5.2 million (total)',
'industry': 'Education',
'location': ['British Columbia (unaffected)',
'Alberta',
'Saskatchewan',
'Manitoba',
'Ontario',
'Quebec (unaffected)',
'New Brunswick (unaffected)',
'Nova Scotia',
'Prince Edward Island',
'Newfoundland and Labrador',
'Northwest Territories',
'Nunavut (unaffected)',
'Yukon (unaffected)'],
'name': 'School Boards in 8 Canadian Provinces and 1 '
'Territory',
'type': 'Public School Boards'}],
'attack_vector': ['Compromised Credentials',
"Exploitation of 'Always-On' Remote Access Feature"],
'customer_advisories': ['School boards in affected provinces notified '
'parents, guardians, and staff about the breach.',
'Recommendations provided to educational bodies to '
'enhance data protection measures.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '5,200,000 (Canada-wide)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes personally '
'identifiable information of minors '
'and educators)',
'type_of_data_compromised': ['Personal Information of '
'Students',
'Personal Information of '
'Parents/Guardians',
'Personal Information of '
'Staff/Educators']},
'date_detected': 'December 2024',
'date_publicly_disclosed': '2025-01-07T00:00:00',
'description': 'A major data breach impacted Canadian public schools, '
'particularly in Ontario and Alberta, due to vulnerabilities '
"in PowerSchool's student information system (SIS) and "
'customer support portal (PowerSource). The breach was caused '
'by compromised credentials, leading to the exfiltration of '
'personal data of millions of students, parents/guardians, and '
"staff. Investigations by Ontario and Alberta's privacy "
"commissioners revealed significant gaps in PowerSchool's "
'security measures and inadequate oversight by school boards. '
'The breach affected approximately 5.2 million Canadians, with '
'3.86 million in Ontario and over 700,000 in Alberta. An '
'American college student was arrested and sentenced for cyber '
'extortion related to the incident.',
'impact': {'brand_reputation_impact': ['Significant reputational damage to '
'PowerSchool',
'Erosion of public trust in school '
"boards' data protection capabilities"],
'customer_complaints': True,
'data_compromised': True,
'identity_theft_risk': True,
'legal_liabilities': ['Potential lawsuits (e.g., Calgary law firm '
'filed a lawsuit)',
'Regulatory scrutiny from privacy '
'commissioners'],
'operational_impact': ['Disruption to school administrative '
'operations',
'Loss of trust in digital education '
'systems'],
'systems_affected': ['PowerSchool Student Information System (SIS)',
'PowerSource (Customer Support Portal)']},
'initial_access_broker': {'entry_point': ['Compromised credentials for '
"PowerSchool's SIS and PowerSource "
'portal',
"Exploitation of 'always-on' remote "
'access feature'],
'high_value_targets': ['Student Information System '
'(SIS) databases',
'Personal data of students, '
'parents, and staff']},
'investigation_status': 'Completed (Reports published by Ontario and Alberta '
'Privacy Commissioners)',
'lessons_learned': ['Educational institutions must include robust privacy and '
'security provisions in third-party vendor contracts.',
'Multi-factor authentication (MFA) and access controls '
'are critical for protecting sensitive data.',
"'Always-on' remote access features pose significant "
'security risks and should be restricted.',
'School boards require adequate breach response plans and '
'protocols to mitigate incidents effectively.',
'Government support is essential to strengthen the '
'bargaining power of educational bodies in vendor '
'negotiations.'],
'motivation': ['Cyber Extortion', 'Financial Gain', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Renegotiation of '
'PowerSchool contracts to '
'include stricter privacy '
'and security terms.',
'Restriction of remote '
"access to 'as-needed' "
'basis and disabling '
"'always-on' features.",
'Implementation of MFA and '
'stronger access controls '
'for PowerSchool systems.',
'Development of '
'comprehensive breach '
'response plans for school '
'boards.',
'Enhanced government '
'support for educational '
'bodies in vendor '
'negotiations and '
'cybersecurity measures.'],
'root_causes': ['Lack of multi-factor '
'authentication (MFA) for '
'PowerSchool systems.',
'Inadequate contractual security '
'provisions between school boards '
'and PowerSchool.',
"Poor oversight of PowerSchool's "
'technical and security safeguards '
'by educational bodies.',
"Use of 'always-on' remote access, "
'providing an open gateway for '
'threat actors.',
'Absence of effective breach '
'response plans or protocols in '
'many affected institutions.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Review and renegotiate agreements with PowerSchool to '
'include privacy and security-related provisions.',
'Limit remote access to student information systems to an '
"'as-needed' basis.",
'Implement and enforce multi-factor authentication (MFA) '
'for all systems handling sensitive data.',
'Develop and maintain adequate breach response plans and '
'protocols.',
"Strengthen oversight of third-party vendors' security "
'measures through regular audits and compliance checks.',
'Governments should provide support to educational bodies '
'to ensure privacy law requirements are met in vendor '
'agreements.',
'Enhance training for staff on cybersecurity best '
'practices and incident response.'],
'references': [{'date_accessed': '2025-01-07',
'source': 'Global News',
'url': 'https://globalnews.ca/news/10234567/powerschool-data-breach-canada-schools/'},
{'date_accessed': '2025-01-07',
'source': 'Office of the Information and Privacy Commissioner '
'of Ontario (IPC)',
'url': 'https://www.ipc.on.ca/'},
{'date_accessed': '2025-01-07',
'source': 'Office of the Information and Privacy Commissioner '
'of Alberta (OIPC)',
'url': 'https://www.oipc.ab.ca/'},
{'date_accessed': '2025-01-07',
'source': 'Associated Press (AP)',
'url': 'https://apnews.com/'}],
'regulatory_compliance': {'legal_actions': ['Lawsuits (e.g., Calgary law firm '
'filed a class-action lawsuit)',
'Criminal prosecution of threat '
'actor (4-year prison sentence)'],
'regulations_violated': ['Provincial Public Sector '
'Privacy Laws (Ontario and '
'Alberta)'],
'regulatory_notifications': ['Notifications to '
'Ontario and Alberta '
'Privacy Commissioners',
'Public reports by '
'Patricia Kosseim '
'(Ontario) and Diane '
'McLeod (Alberta)']},
'response': {'communication_strategy': ['Public disclosures by privacy '
'commissioners',
'Press releases',
'Recommendations for school boards'],
'law_enforcement_notified': True,
'remediation_measures': ['Review and renegotiation of '
'PowerSchool contracts',
'Implementation of stricter remote '
"access policies ('as-needed' basis)",
"Enhanced oversight of PowerSchool's "
'security safeguards']},
'stakeholder_advisories': ['Privacy commissioners urged school boards to '
'renegotiate PowerSchool contracts.',
'Alberta Education Minister pledged closer '
'collaboration with school boards to improve '
'cybersecurity.'],
'threat_actor': ['Unnamed individual (American college student from '
'Assumption University, Massachusetts)'],
'title': 'PowerSchool Data Breach Affecting Canadian Public Schools',
'type': ['Data Breach', 'Cyber Extortion', 'Unauthorized Access'],
'vulnerability_exploited': ['Lack of Multi-Factor Authentication (MFA)',
'Inadequate Contractual Security Provisions',
'Poor Oversight of Third-Party Vendor '
'(PowerSchool)',
"Unrestricted Remote Access ('Always-On' "
'Feature)']}