"In coordinated findings published this week, the privacy commissioners of Ontario and Alberta said that the December 2024 intrusion was made worse by widespread failings across the education sector. While compromised login credentials let the attackers into PowerSchool's systems, investigators concluded that many school boards hadn't put basic contractual, security, or oversight safeguards in place before handing over student data."
"The joint reports land nearly a year after it was revealed that PowerSchool had quietly paid a ransom to criminals who claimed that they had exfiltrated personal data from the company's hosted education platforms. At the time, PowerSchool insisted that the crooks had "deleted" what they stole, but as The Register later reported, extortionists soon began shaking down individual school districts using the very same loot - strongly suggesting the data was never wiped."
"According to the provincial commissioners, roughly 3.86 million Ontarians and more than 700,000 Albertans were swept up in the breach. The exposed information included everything from students' names and contact details to birth dates, education records, identifiers, and in some cases medical information. Ontario's report warns that some boards had been keeping decades' worth of sensitive records - in some cases dating back to the 1960s - which "amplified the real risk of significant harm" when attackers grabbed entire student and staff tables."
Provincial privacy commissioners in Ontario and Alberta found that the December 2024 PowerSchool intrusion was worsened by systemic failures across many school boards. Compromised login credentials allowed attackers into PowerSchool systems, but many boards lacked contractual, security, and oversight safeguards before sharing student and staff data. Approximately 3.86 million Ontarians and more than 700,000 Albertans had records exposed, including names, contact details, birth dates, education records, identifiers, and in some cases medical information. Some boards retained decades of sensitive records, increasing the risk of harm. Failures included missing privacy clauses, weak vendor oversight, and insufficient remote access protections.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]