When student data is hacked & stolen: Regulators’ lessons from the #PowerSchool data breach

A close look at the #PowerSchool #cybersecurity incident, perhaps the largest education-sector data breach ever investigated in Canada, and the findings issued by the Information and Privacy Commissioners of Ontario and Alberta. PowerSchool is widely used by Canadian school boards to manage student information, including enrollment, grades, contact details, and medical alerts. In late 2024, a threat actor gained access to PowerSchool’s systems using compromised credentials belonging to a support contractor, allowing them to exfiltrate sensitive student and educator data affecting millions of individuals across multiple provinces. This video explains: ► What PowerSchool is and how school boards rely on it ► How the cyberattack occurred and what data was accessed ► What Ontario and Alberta privacy regulators investigated ► Where the regulators’ findings align — and where they differ What this case teaches about outsourcing, vendor oversight, and accountability under Canadian privacy law Both regulators concluded that school boards remained legally responsible for protecting personal information, even though PowerSchool operated the systems. The investigations highlight failures in cybersecurity safeguards, contract management, data retention practices, and breach preparedness — and underscore the heightened sensitivity of children’s personal information. Relevant links: ► Ontario finding: https://www.ipc.on.ca/en/resources/po... ► Alberta finding: https://oipc.ab.ca/wp-content/uploads... ► Saskatchewan finding: https://oipc.sk.ca/assets/la-foip-inv... Where you can find me ► Privacylawyer blog: https://blog.privacylawyer.ca ► My law firm: https://www.mcinnescooper.com/people/... ► Twitter:   / privacylawyer   ► LinkedIn:   / davidtsfraser   Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel. All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.