Canada’s privacy commissioner said Tuesday that he has discontinued his investigation into the PowerSchool data breach after the education software company agreed to take measures to improve its cybersecurity.
The December 2024 hack accessed the personal data — including medical information and social security numbers — of millions of current and former students and thousands of staff across Canada.
The office of privacy commissioner Philippe Dufresne (OPC) said in a news release that PowerSchool “took measures to contain the breach, notify affected individuals and organizations and offer credit protection, and has voluntarily committed to additional actions to support its security safeguards.”
Those actions include “strengthened monitoring and detection tools,” the OPC release said.
“In light of the actions that PowerSchool has already implemented, and those that it will implement over the coming months, Privacy Commissioner of Canada Philippe Dufresne has decided to discontinue the investigation that he launched in February but will be monitoring to ensure that all of PowerSchool’s commitments are fully met,” it continued.
“I welcome PowerSchool’s willingness to engage with my Office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada,” Dufresne said in a statement.
“Federal privacy law requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information. This is particularly important when dealing with children’s personal information.”
Dufresne’s investigation began more than a month after the company began to notify PowerSchool users about the data breach, which impacted school boards across most of North America and other countries that PowerSchool serves.
Get breaking National news
Global News contacted every school board across the country early this year to determine how many were impacted. Of those that responded, at least 87 were affected.
Data from those that provided numbers showed that more than 2.77 million current and former students were confirmed to have been affected. In addition, 35,951 staff members, including teachers, were confirmed impacted, with one Nova Scotia school board advising that 3,500 parents’ data was also accessed.
Some Canadian school boards informed families in May that they had received new ransom demands involving the stolen data.
A Massachusetts college student, 19-year-old Matthew Lane, agreed in May to plead guilty to criminal charges related to the data breach, including cyber extortion, according to U.S. prosecutors. Sources close to the investigation told The Associated Press and Reuters that PowerSchool was the company identified as “Victim 1” in the criminal complaint.
What did PowerSchool agree to?
According to a letter of commitment with the OPC signed last week and released Tuesday, PowerSchool has until the end of July to provide any additional information related to the data breach to the commissioner, and to confirm if it plans to implement any additional authentication process in its affected PowerSource platform.
The company will need to provide evidence by the end of this year that it has strengthened its monitoring and detection tools, that those tools can “identify patterns of irregular activity,” and that it has thoroughly reviewed and readjusted its system access privileges for both security and operational needs.
By March 2026, PowerSchool will need to show that it has obtained recertification of the global information security standard known as ISO/IEC 27001.
It must also provide an independent, third-party security assessment and report to the OPC on PowerSchool’s updated safeguards to protect personal information, prevent and respond to potential breaches, and other cybersecurity measures.
If the report includes recommendations for PowerSchool to implement, the company must show the OPC whether it has accepted them and provide an implementation plan and timelines, or provide reasons why it has not accepted them. The commissioner will have to review and approve those submissions.
PowerSchool also agreed to continue supporting affected clients and carry out its regular reporting and notification obligations under federal and provincial privacy laws.
The OPC letter said PowerSchool’s commitments are “a fair and reasonable response to the complaint” that sparked Dufresne’s investigation in February.
“We take the privacy and security of student, educator, and family data extremely seriously,” a PowerSchool spokesperson told Global News in an emailed statement responding to the OPC’s announcement.
“Following the 2024 security incident, we worked closely with the Office of the Privacy Commissioner of Canada to respond swiftly, transparently, and responsibly. We’re grateful for the Commissioner’s collaboration in helping us strengthen our safeguards even further. PowerSchool remains fully committed to making continual investments in our security infrastructure and the ongoing support of our education partners across Canada.”
In a statement to Global News, the office of the Information and Privacy Commissioner of Ontario (IPC) said its own, separate investigation into the PowerSchool data breach remains ongoing.
“While the Office of the Privacy Commissioner of Canada has concluded its engagement with the company, we are actively investigating this breach from the perspective of the ministry and affected school boards, which are accountable under Ontario’s Municipal Freedom of Information and Protection of Privacy Act,” the statement said.
The IPC is calling for mandatory privacy impact assessments and breach notification requirements for school boards and other regulated institutions, in compliance with the recently updated provincial privacy law.
— with files from Global’s Sean Previl
Comments