Student and staff data lost in school divisions’ cyberattack
Advertisement
A cyberattack late last year has affected all four school divisions in the Southeast with data on thousands of students stolen.
The incident happened when the student information system provider, PowerSchool, noticed a cyber security breach on Dec. 28, 2024. It notified the school divisions on Jan.7, whereupon the divisions notified the parents on Jan. 8.
In its letter to parents, Seine River School Division superintendent Colin Campbell stated that an internal log investigation showed data regarding student information (name, date of birth, home phone number, home address, doctor’s name and phone number, sibling information (within the division), MET number, gender, grade level, homeroom, and parent/guardian names) and staff information (name, phone number, email address, employee ID, and school location ID) were stolen.
Data not collected at SRSD included student specific planning (IEPs, behaviour plans, assessment records, medical information). SRSD does not store sensitive information such as social insurance numbers, banking information, login and password information in PowerSchool.
Hanover School Division, Sunrise School Division, and Borderland School Division’s letters to parents states information gathered included information about students and staff — particularly contact information and other information provided to the division at the time the student was registered, or when staff commenced their employment. No banking information was accessed, and no images of students were accessed.
Information such as this can be sold by hackers on the black market on the web where people use it for marketing purposes, identity theft, or to gain access to accounts, according to Dr. David Gerhard, head of the computer science department at the University of Manitoba. Since the bulk of the data was children’s information, Gerhard said the information could be used to hack into social media accounts.
Gerhard said the PowerSchool matter was a ransomware event where the hackers demanded money in exchange for deleting the stolen data. PowerSchool paid the ransom, which could be in the millions of dollars.
“It seems like the chances are reasonably good that this data has been genuinely destroyed and probably things are OK, but again it’s a criminal organization that is attempting to have a trust relationship with the people whose data they’ve stolen and that is problematic.”
The RCMP is not investigating the matter since it wasn’t a Manitoba company.
All the school divisions stated that PowerSchool has deactivated accounts and initiated “enhanced processes for passwords and access.” PowerSchool has also provided assurances to the school divisions that accessed data has been deleted and that it is actively engaged with cybersecurity professionals to monitor the situation.
PowerSchool is a California-based provider of cloud software to over 18,000 customers in more than 90 countries and holds the data of more than 60 million students globally. It has been in Canada since 2015.
It’s estimated that 80 percent of school divisions in the province were affected by the cyber breach.