Canada’s privacy commissioner said Tuesday that he has discontinued his investigation into the PowerSchool data breach after the education software company agreed to take measures to improve its cybersecurity.
The December 2024 hack accessed the personal data — including medical information and social security numbers — of millions of current and former students and thousands of staff across Canada.
The office of privacy commissioner Philippe Dufresne (OPC) said in a news release that PowerSchool “took measures to contain the breach, notify affected individuals and organizations and offer credit protection, and has voluntarily committed to additional actions to support its security safeguards.”
Those actions include “strengthened monitoring and detection tools,” the OPC release said.
“In light of the actions that PowerSchool has already implemented, and those that it will implement over the coming months, Privacy Commissioner of Canada Philippe Dufresne has decided to discontinue the investigation that he launched in February but will be monitoring to ensure that all of PowerSchool’s commitments are fully met,” it continued.
“I welcome PowerSchool’s willingness to engage with my Office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada,” Dufresne said in a statement.
“Federal privacy law requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information. This is particularly important when dealing with children’s personal information.”
Dufresne’s investigation began more than a month after the company began to notify PowerSchool users about the data breach, which impacted school boards across most of North America and other countries that PowerSchool serves.
Get daily National news
Get the day’s top news, political, economic, and current affairs headlines, delivered to your inbox once a day.
Global News contacted every school board across the country early this year to determine how many were impacted. Of those that responded, at least 87 were affected.
Data from those that provided numbers showed that more than 2.77 million current and former students were confirmed to have been affected. In addition, 35,951 staff members, including teachers, were confirmed impacted, with one Nova Scotia school board advising that 3,500 parents’ data was also accessed.
Some Canadian school boards informed families in May that they had received new ransom demands involving the stolen data.
A Massachusetts college student, 19-year-old Matthew Lane, agreed in May to plead guilty to criminal charges related to the data breach, including cyber extortion, according to U.S. prosecutors. Sources close to the investigation told The Associated Press and Reuters that PowerSchool was the company identified as “Victim 1” in the criminal complaint.
According to a letter of commitment with the OPC signed last week and released Tuesday, PowerSchool has until the end of July to provide any additional information related to the data breach to the commissioner, and to confirm if it plans to implement any additional authentication process in its affected PowerSource platform.
The company will need to provide evidence by the end of this year that it has strengthened its monitoring and detection tools, that those tools can “identify patterns of irregular activity,” and that it has thoroughly reviewed and readjusted its system access privileges for both security and operational needs.
By March 2026, PowerSchool will need to show that it has obtained recertification of the global information security standard known as ISO/IEC 27001.
It must also provide an independent, third-party security assessment and report to the OPC on PowerSchool’s updated safeguards to protect personal information, prevent and respond to potential breaches, and other cybersecurity measures.
If the report includes recommendations for PowerSchool to implement, the company must show the OPC whether it has accepted them and provide an implementation plan and timelines, or provide reasons why it has not accepted them. The commissioner will have to review and approve those submissions.
PowerSchool also agreed to continue supporting affected clients and carry out its regular reporting and notification obligations under federal and provincial privacy laws.
The OPC letter said PowerSchool’s commitments are “a fair and reasonable response to the complaint” that sparked Dufresne’s investigation in February.
Global News has asked the office of the Information and Privacy Commissioner of Ontario if its investigation into the PowerSchool data breach remains ongoing.
“We take the privacy and security of student, educator, and family data extremely seriously,” a PowerSchool spokesperson told Global News in an emailed statement responding to the OPC’s announcement.
“Following the 2024 security incident, we worked closely with the Office of the Privacy Commissioner of Canada to respond swiftly, transparently, and responsibly. We’re grateful for the Commissioner’s collaboration in helping us strengthen our safeguards even further. PowerSchool remains fully committed to making continual investments in our security infrastructure and the ongoing support of our education partners across Canada.”
— with files from Global’s Sean Previl
Read the full article here
