Alberta’s privacy authority has initiated an investigation into over 30 data breaches linked to the PowerSchool cyberattack, which targeted educational institutions across the province. In a statement released on Wednesday, the provincial government outlined the situation, detailing the implications of this security incident on student and staff privacy.
PowerSchool, a widely-used cloud-based software platform that serves K-12 educational systems, fell victim to a cyberattack in late December. This breach allowed unauthorized access to sensitive data from numerous North American schools, including those in Alberta. Since the incident, the company has begun notifying individuals whose personal information may have been compromised.
The Office of the Information and Privacy Commissioner (OIPC) of Alberta is currently evaluating 31 breach notifications related to unauthorized access to students’ personal data. Notably, these notifications indicate that some teachers’ personal information was also at risk. In response, Information and Privacy Commissioner Diane McLeod emphasized that her office will collaborate with affected schools to mitigate potential risks for those whose data was exposed.
Commissioner McLeod highlighted that a “significant number” of Albertans, especially students, have been impacted by this breach. Her office is actively reviewing notifications as they arrive to ascertain the total number of individuals affected within Alberta. Concurrently, federal Privacy Commissioner Philippe Dufresne has also announced an investigation into the PowerSchool breach, indicating that this situation is being examined at multiple governance levels.
The breach was initially discovered by PowerSchool on December 28, according to information provided by the company on its website. The unauthorized access stemmed from PowerSource, one of PowerSchool’s community-oriented customer support forums, which inadvertently exposed various personal and health-related information of users.
Among the compromised data were students’ names, phone numbers, birth dates, genders, grades, school-issued email addresses, and student identification numbers. Additionally, sensitive health data such as medical conditions, allergies, medications, personal health numbers, physician contact information, and guardian details were also accessed.
In an effort to address the impact of this incident, PowerSchool appears to be providing affected individuals with credit monitoring and identity theft protection services. Those who have received notice of the breach are encouraged to contact PowerSchool directly for further information regarding support services.
The OIPC recommends that individuals with questions about their rights under Alberta’s privacy regulations visit its website for guidance. This incident underscores the pressing need for organizations—especially those in the education sector—to reinforce cybersecurity measures to protect sensitive data from potential breaches.
In considering the nature of this attack through the lens of the MITRE ATT&CK framework, tactics such as initial access via exploitation of vulnerabilities and potential persistence techniques could have been employed by the adversaries. Understanding these tactics allows organizations to better prepare and defend against similar threats in the future.
