A Massachusetts college student exploited PowerSchool’s lack of multifactor authentication (MFA) to breach its systems in December, exposing sensitive data of over **62 million students** and **9 million teachers** across North America. In Toronto alone, records dating back to **1985**—including **special education and disciplinary files**—were leaked. Investigations by Ontario and Alberta’s privacy commissioners revealed systemic failures: schools lacked **contractual security provisions**, failed to **monitor PowerSchool’s safeguards**, allowed **unrestricted remote access** for support personnel, and had no **breach response plans**. The incident highlighted critical vulnerabilities in third-party vendor oversight, with regulators mandating stricter privacy controls, access limitations, and contract renegotiations to prevent future exposures.
Source: https://therecord.media/canadian-privacy-regulators-say-schools-share-blame-powerschool-hack
PowerSchool cybersecurity rating report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "POW3992039111925",
"linkid": "powerschool-group-llc",
"type": "Breach",
"date": "6/1985",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'students and teachers (records '
'back to 1985)',
'industry': 'education',
'location': 'Ontario, Canada',
'name': 'Ontario Provincial School Systems',
'type': 'government/education'},
{'customers_affected': 'students and teachers',
'industry': 'education',
'location': 'Alberta, Canada',
'name': 'Alberta Provincial School Systems',
'type': 'government/education'},
{'customers_affected': '62 million students and 9 '
'million teachers globally',
'industry': 'education technology',
'location': 'Folsom, California, USA',
'name': 'PowerSchool',
'type': 'private company'}],
'attack_vector': ['lack of multifactor authentication (MFA)',
'exploited remote access vulnerabilities'],
'data_breach': {'data_exfiltration': 'yes',
'number_of_records_exposed': '71 million (62 million students '
'+ 9 million teachers)',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high (includes long-term historical '
'records)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'educational records',
'special education records',
'disciplinary records']},
'description': 'Two Canadian provincial governments (Ontario and Alberta) '
'released investigative findings blaming school systems for '
'the massive PowerSchool data leak, which exposed data of over '
'62 million students and 9 million teachers. The breach '
'occurred due to a lack of multifactor authentication (MFA) '
'requirements, exploited by a Massachusetts college student in '
'December. The exposed data included records dating back to '
'1985, such as special education and disciplinary files. '
'Investigations revealed failures in contract oversight, '
'remote access controls, and breach response preparedness by '
'the affected schools.',
'impact': {'brand_reputation_impact': ['negative publicity for PowerSchool '
'and affected school systems',
'regulatory criticism'],
'data_compromised': ['student records (back to 1985)',
'teacher records',
'special education records',
'disciplinary records'],
'identity_theft_risk': ['high (due to exposure of PII in '
'student/teacher records)'],
'legal_liabilities': ['potential violations of privacy laws '
'(Ontario/Alberta)',
'regulatory recommendations for corrective '
'actions'],
'operational_impact': ['lack of breach response plans',
'regulatory scrutiny'],
'systems_affected': ['PowerSchool student information systems']},
'initial_access_broker': {'entry_point': ['exploited lack of MFA',
'unrestricted remote access'],
'high_value_targets': ['student information systems',
'historical educational '
'records']},
'investigation_status': 'completed (regulatory investigations by Ontario and '
'Alberta)',
'lessons_learned': ['Importance of contractual security/privacy provisions '
'with third-party vendors',
'Need for multifactor authentication (MFA) as standard '
'protocol',
'Criticality of limiting and monitoring remote access by '
'vendors',
'Necessity of prepared breach response plans'],
'post_incident_analysis': {'corrective_actions': ['Renegotiate vendor '
'contracts with stronger '
'security clauses',
'Implement MFA and access '
'controls',
'Enhance vendor oversight '
'mechanisms',
'Develop incident response '
'plans'],
'root_causes': ['Absence of MFA requirements in '
'PowerSchool systems',
'Inadequate contractual '
'security/privacy provisions '
'between schools and PowerSchool',
'Failure to monitor PowerSchool’s '
'security guardrails',
'Unrestricted remote access for '
'PowerSchool support personnel',
'Lack of breach response '
'preparedness']},
'recommendations': ['Review and renegotiate agreements with PowerSchool to '
'include robust privacy/security provisions',
'Implement systems to effectively oversee PowerSchool’s '
'security program',
'Limit remote access to student information systems to '
"'as long as necessary' for technical issues",
'Develop and maintain incident response plans'],
'references': [{'source': 'Ontario Information and Privacy Commissioner Press '
'Release'},
{'source': 'Alberta Information and Privacy Commissioner '
'Report'}],
'regulatory_compliance': {'regulations_violated': ['potential violations of '
'Ontario/Alberta privacy '
'laws'],
'regulatory_notifications': ['investigative reports '
'by Ontario and '
'Alberta Information '
'and Privacy '
'Commissioners']},
'response': {'communication_strategy': ['regulatory press releases '
'(Ontario/Alberta commissioners)'],
'incident_response_plan_activated': 'No (schools lacked prepared '
'plans)'},
'stakeholder_advisories': ['regulatory recommendations issued to school '
'systems'],
'threat_actor': 'Massachusetts college student (unidentified)',
'title': 'PowerSchool Data Leak Affecting Canadian Provincial School Systems',
'type': ['data breach', 'unauthorized access'],
'vulnerability_exploited': ['missing MFA requirements',
'unrestricted remote access for support '
'personnel']}