Canadian privacy watchdogs say that school boards must shoulder part of the blame for the PowerSchool mega-breach, not just the ed-tech giant that lost control of millions of student and staff records.
In coordinated findings published this week, the privacy commissioners of Ontario and Alberta said that the December 2024 intrusion was made worse by widespread failings across the education sector. While compromised login credentials let the attackers into PowerSchool’s systems, investigators concluded that many school boards hadn’t put basic contractual, security, or oversight safeguards in place before handing over student data.
The joint reports land nearly a year after it was revealed that PowerSchool had quietly paid a ransom to criminals who claimed that they had exfiltrated personal data from the company’s hosted education platforms. At the time, PowerSchool insisted that the crooks had “deleted” what they stole, but as The Register later reported, extortionists soon began shaking down individual school districts using the very same loot – strongly suggesting the data was never wiped.
According to the provincial commissioners, roughly 3.86 million Ontarians and more than 700,000 Albertans were swept up in the breach. The exposed information included everything from students’ names and contact details to birth dates, education records, identifiers, and in some cases medical information.
Ontario’s report warns that some boards had been keeping decades’ worth of sensitive records – in some cases dating back to the 1960s – which “amplified the real risk of significant harm” when attackers grabbed entire student and staff tables.
But the watchdogs say PowerSchool wasn’t the only one asleep at the wheel. Many school boards had failed to include mandatory privacy and security clauses in their contracts. Others didn’t properly oversee the vendor’s remote-access arrangements, didn’t require multi-factor authentication for support sessions, and hadn’t set up proper breach-response plans. PowerSchool’s “always-on” remote support capabilities were singled out as a particularly risky arrangement that school boards never properly scrutinized.
The report also reveals that unauthorized access using the contractor’s compromised credentials had occurred months earlier between August and September 2024, but went undetected because PowerSchool’s logging retention window was too short to preserve evidence.
Ontario commissioner Patricia Kosseim said: “Sector-wide coordination and cooperation among school boards, strongly supported by government, would strengthen their contract negotiations with ed-tech service providers, as well as the oversight and monitoring measures necessary to ensure compliance with their obligations under public sector privacy laws.”
Alberta commissioner Diane McLeod added that “privacy does not happen on its own” and requires “a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected.”
The PowerSchool cyberattack began in late December 2024, when criminals used compromised credentials to get into PowerSchool’s systems. From there, they grabbed a trove of data large enough to fuel months of chaos. According to Ontario’s report, attackers used the subcontractor’s access to automate the exfiltration of two core database tables – the full student table and the full educator table – across every affected school board.
In May, Matthew Lane, 19, a student at Assumption University in Massachusetts, plead guilty to conspiring to extort a school software supplier that held data on “more than 60 million students and 10 million teachers,” according to the Department of Justice. A source familiar with the matter confirmed to The Register that this company was PowerSchool.
The commissioners’ reports make clear that schools weren’t merely unlucky victims. By failing to set boundaries, enforce controls, or check what their supplier was actually doing under the hood, many education bodies increased the blast radius of the breach. The findings also highlight a broader pattern: public institutions are now so dependent on third-party platforms that they often outsource risk without outsourcing responsibility.
Ultimately, the watchdogs aren’t just calling out one leaky vendor but an entire sector that forgot it had homework. And unless those lessons stick, the next breach won’t be a surprise – it’ll be an inevitability. ®